With all the news and drama emanating from Washington these days, it’s easy to miss the fact that a major leader of the cyber security community in the healthcare sector tells Congress just how bad cyber security really is across that entire industry.
Testifying before the Subcommittee on Oversight and Investigations of the House Committee on Energy and Commerce this week, Terence M. Rice, Vice President and Chief Information Security Officer (CISO) at Merck & Co., Inc., called on Congress to implement a series of systematic actions to help mitigate a crisis affecting the entire healthcare industry. Those actions include:
1. Having the Department of Healthcare and Human Services appoint a healthcare sector cybersecurity liaison to the private sector
2. Develop an append to an existing Healthcare and Public Health Sector Specific Plan that focuses on best practices for cyber security incident response
3. Increase the quality of cybersecurity intelligence and the rate at which that information is shared
4. Develop smaller and more frequent exercises and simulations spanning multiple healthcare firms
5. Build an identity management ecosystem that would be deployed across the entire industry
6. Provide a set of guidelines for implementing the Cybersecurity Framework developed by the National Institute of Standards and Technology (NIST) within the healthcare industry
7. Help implement cybersecurity best practices as well as share intelligence on a global basis
8. Train retired military personnel to fill an estimated 200,000 open cybersecurity positions in the U.S.
Rice testified that cybersecurity risks to the healthcare industry include smaller businesses with limited resources that enable them to deal only with basic cybersecurity issues, increased security risk due to the portability of healthcare information, and increased attack surfaces brought about by the proliferation of software across the healthcare ecosystem. That attack surface not only includes applications running in the data center, but increasingly an array of mobile computing devices being employed to monitor patients.
It’s not every day that a CISO stands in front of a Congressional committee and admits how bad things have become from a cyber security perspective inside their industry. Given the amount of personally identifiable information (PII) included in a healthcare record, it is little wonder that healthcare industry has become a favorite target for cybercriminals. Thanks to an industry-wide initiative to reduce healthcare costs there’s more of those records available in an electronic format than ever. The problem is that most of the healthcare institutions charged with protecting those records don’t have the resources or expertise required to accomplish the task. In fact, a survey published this week by MediaPro suggests that 70 percent of the employees in the healthcare sector could either be classified as a risk or novice when it comes to cyber security.
Unfortunately, it’s not apparent what impact any act of Congress might have on improving the overall cyber security posture of the healthcare industry. The truth of the matter is no one anticipated the intensity of the attacks that would be launched against a digital healthcare system. While there will never be perfect security in a system involving human beings, there’s obviously a lot of room for improvement. At the same time, however, healthcare industry leaders and our elected officials need to realize there’s no substitute for hands-on IT security expertise that one way or another needs to be meaningfully funded.
Mike Vizard has covered IT for more than 25 years, and has edited or contributed to a number of tech publications including InfoWorld, eWeek, CRN, Baseline, ComputerWorld, TMCNet, and Digital Review. He currently blogs for IT Business Edge and contributes to CIOinsight, The Channel Insider, Programmableweb and Slashdot.Mike also blogs about emerging cloud technology for Intronis MSP Solutions by Barracuda.