In June 2017, the Health Care Industry Cybersecurity Task Force, consisting of 21 individuals from various walks of health care and information technology, issued its Report on Improving Health Care Industry Cybersecurity.
Supported by the Department of Health and Human Services, the Department of Homeland Security, and the National Institute of Standards and Technology, the Task Force outlined the state of cybersecurity in health care, the current and emerging cyber threats in health care and provided recommendations and action steps. While most commentators focused on the imperatives and recommendations, they seemed to miss the real story: the impact of smaller practices on America’s health care and their need for adequate information security protections.
Small Practices, Rural Hospitals and Cybersecurity
According to the report, smaller practices and rural hospitals provide most of the health care in the country but lack the information security resources to implement and rapidly deploy protections against ongoing, ever changing tactics, threats and attack vectors. Typically, these organizations often do not have:
- The infrastructure to identify and track threats
- The technical capacity to analyze the threat data and quickly translate it into actionable information
- The capability to act on that information
- Physical and logical access controls consistent with best practices
Also, the report noted that smaller practices and rural hospitals “continue to use unsupported legacy systems, and lack access to proper security training [and] have not crossed the cybersecurity digital divide”. While larger organizations can afford to spend millions on their IT, according to the report, “small organizations cannot afford to retain in-house information security personnel, or designate an IT staff member with cybersecurity expertise”. Even larger organizations face challenges as a result of their leadership’s decision to either not increase or even decrease their budgets despite increasingly complex cyber threats. While many believe that only large organizations are the target of cyber attackers, the reality is that ALL health care organizations, regardless of sizes, are targets.
The report highlighted the importance of small entities having appropriate security controls. Specifically, the report noted that a “coordinated attack on multiple small and medium health entities could pose a significant risk to national security . . . destabilize public trust in the health care industry and as such, negatively affect the entire critical infrastructure sector.”
Small and Medium Health Care Providers are Easy Targets for Cyber Criminals
Small to medium health care providers are easy targets for cyber criminals and typically have less complex information systems. However, their data is as good and as valuable as information obtained from larger organizations and easier to obtain. Also, these organizations are required to adhere to the same rules and regulations regardless of size. There is no small practice exemption or lower bar for protecting patient data.
Consider Outsourcing Information Security Activities
Since smaller entities usually have less complex systems and less expertise to develop and maintain information security infrastructure, the Task Force recommended that the organizations engage managed security service providers (MSSPs), companies that provide network and information system security services to organizations that outsource these activities. MSSPs would provide the high level security services and oversight in an efficient and cost-effective manner that ensures compliance with applicable federal, state and industry information security requirements. MSSPs could focus on the small and medium-sized organizations’ key information security needs, such as critical network perimeter controls, end-point controls, identity and access management, and encryption, while the health care organizations focus on providing services to needy patients.
Small and medium-sized health care providers comprise the majority of America’s health care landscape. Yet they are most vulnerable to cyber threats because they lack the resources and expertise to adequately protect their patients’ information. Outsourcing information security systems seems to provide an affordable and competent solution for acquiring needed expertise to combat constantly evolving cyber threats and adhering to regulatory requirements for information security.