US health care sector lacks comprehensive cybersecurity protection

The U.S. health care sector is far from fully protected from the threat of cyberattack, a recent drill revealed.

Government Health IT reported that the drill, conducted by the U.S. Department of Health and Human Services and the Health Information Trust Alliance, found widely varying levels of cybersecurity preparedness among U.S. health care providers. On the positive side, the drill (known as the CyberRX drill) discovered that a great many of these organizations have taken sufficient steps to address cyber risks. Unfortunately, many other providers are lagging far behind in this area.

"Some organizations have very mature cyber risk programs that can identify cyber threats and actively engage in collaborative incident response efforts, while others rely more heavily on the compensating controls defined in their information protection framework, such as the CSF," said Daniel Nutkis, chief executive for HITRUST, the news source reported.

Nutkis noted that health care providers with less mature information security programs are particularly at risk to cybersecurity threats, as these were traditionally seen as lower risk areas, Government Health IT reported. New circumstances now suggest this approach must be reconsidered, Nutkis added.

A necessary partnership
To help health care organizations improve their cybersecurity efforts, HHS and HITRUST are working together to increase awareness of these issues, the news source noted. Specifically, the groups will alert these firms to monthly briefings offered by HITRUST and HHS.

Similar partnerships may emerge in the near future.  The news source reported Rep. Michael Burgess of Texas recently spoke at the HITRUST conference in Texas, where he emphasized the need for cooperation between the federal government and private sector to improve U.S. health care cybersecurity.

The need for such improvement is growing. The FBI recently warned that health care is significantly more vulnerable to cyberthreats than other sectors, Reuters reported.

"The health care industry is not as resilient to cyber intrusions compared to the financial and retail sectors, therefore the possibility of increased cyber intrusions is likely," the FBI explained, according to the news source.

Reuters noted health data is extremely valuable to hackers, who can sell this information on the black market even more readily than credit card numbers.

As health care organizations continue to embrace electronic health records, as mandated by federal law, these risks will only grow. Greater efforts from both the public and private sector are essential for minimizing this risk.