No one likes to think about the possibility that patients might be hurt or killed as a result of cyber attacks. But all signs indicate that this is a real possibility and a serious problem. Attacks on Health IT systems such as EHRs or patient portals, electronic medical devices, or on standard healthcare digital systems can be a threat to patient safety.
To combat the cybersecurity threat, Congress and the Obama administration passed the Cybersecurity Information Sharing Act of 2015, which established mechanisms for the US Government to collaborate with private industry to respond to cybersecurity threats. Lawmakers recognized the unique problems with cybersecurity in health technology and created the Health Care Industry Cybersecurity Task Force, charged to make recommendations to Congress regarding specific cybersecurity issues. To paraphrase, we are to investigate:
- What can the healthcare industry learn from other industries about cybersecurity?
- What are the special challenges that we face with cybersecurity in healthcare?
- What are the difficulties protecting electronic health record (EHR) systems and networked electronic medical devices?
- What cybersecurity study materials should the healthcare industry be exposed to?
- How should an organization designed to coordinate the sharing of cybersecurity threats between healthcare industry players and the US Federal Government operate?
- Finally, we were asked give Congress a written report summarizing all of the above.
Our Task Force is asking the healthcare, patient and technology communities for help in this assignment. We are asking for discussion on these issues to be on platforms like The Health Care Blog, Reddit and Twitter, so the community may contribute new ideas as well as refine the ideas contributed by others. We are taking a crowdsourcing approach to cybersecurity ideation so we can aggregate and assess what people have to say about these issues.
Cybersecurity in healthcare is too complex for any small group to understand completely, and too important for any group to pretend that they can. We need advice. And we will listen to anyone who has the advice to give and the time to give it. We may not be able to follow your advice specifically. We might disagree with you, or your advice might not be something that fits into our narrow mandate, but we will do our absolute best to ensure that we at least consider it carefully.
If you think you have special insights on how best to protect the healthcare system from cybersecurity threats, please let us know, ASAP. We are already feeling the deadline for our report to Congress looming. We will be listening to any responses that you make on this blog post, we will be hosting a discussion on Reddit soon, and we will be listening to tweets tagged with the hashtag of #healthcybersecurity.
Member of the Healthcare CyberSecurity Task Force