E-News Exclusive

Health Care Organizations Don’t Pay Enough Attention to Cybersecurity

Solving the problem of cybersecurity in health care will require public-private collaboration and transparency. That was the message delivered by Terence M. Rice, vice president and chief information security officer at Merck & Co, Inc, in testimony before the Subcommittee on Oversight and Investigations of the House Committee on Energy and Commerce on April 4.

“Cybersecurity in the health care industry is far worse than what is reported,” Rice says.

Citing the 2016 IBM Cyber Security Intelligence Index, which deemed health care the single most attacked industry, Rice listed many reasons media reports underrepresent the risk faced by the industry. These include organizational concerns about reputational damage, the presence of smaller businesses with limited resources that allow them to deal only with basic cybersecurity issues, increased security risk due to the portability of health care information, and increased opportunities for attack due to the proliferation of software in the health care ecosystem.

Rice’s testimony identified existing initiatives that may provide a foundation for greater health care cybersecurity. These include the following:

• the Department of Health and Human Services’ (HHS) Sector Coordinating Council, which regularly discusses cybersecurity developments;

the National Health Information Sharing and Analysis Center (NH-ISAC), a coalition of 200-plus companies proactively sharing actionable intelligence and collaborating on ways to more effectively secure “big data” within the health care industry; and

the SAFE-BioPharma Association, a coalition of pharmaceutical companies which, in collaboration with the FDA, National Institute for Standards and Technology (NIST), General Services Administration (GSA), and regulators in the European Union and Japan, developed a digital identity and digital signature standard assuring integrity, identity trust, and nonrepudiation of digitally signed documents. (SAFE stands for “signatures and authentication for everyone.”) A new version of the SAFE-BioPharma identity standard creates a trusted identity ecosystem that will allow the health care sector to meet levels of security based on NIST and GSA standards.

Among the areas of opportunity to enhance greater partnership and collaboration, Rice’s recommendations included the following:

• HHS appointment of a health care sector cybersecurity liaison to the private sector.

• A more thorough and detailed appendix added to the existing Healthcare and Public Health Sector Specific Plan. It will help public- and private-sector entities develop their own cybersecurity incident response plans.

• Increase the quality of cybersecurity intelligence and the speed with which it is shared.

• Smaller and more frequent HHS cybersecurity table top exercises and simulations to include a broader array of health care firms.

• Implement a digital health care identity based on an existing and proven government and private sector standard. Government agencies and larger health care firms should build out the health care identity ecosystem by implementing existing health care digital identity standards. Such an ecosystem would not only significantly improve cybersecurity but also streamline business processes and rationalize the fragmented redundant identity trust issue in health care.

• HHS, NIST, and the private sector need to produce a set of guidelines for the implementation of the NIST Cybersecurity Framework within health care entities.

• HHS and the private sector should engage with peers in other countries to ensure adoption of common cybersecurity standards and to identify ways to share threat intelligence more broadly across borders.

• Recruit departing military personnel to fill the estimated 200,000 open US cybersecurity positions. HHS, the Department of Homeland Security, and other sector-specific agencies can work with private industry to identify critical cybersecurity roles within the private sector and fill them with qualified departing military personnel.

Rice has been involved in health care cybersecurity for more than 15 years. In addition to his roles at Merck & Co, Inc, he participates in a number of public-private partnerships working to improve cybersecurity across the health care sector. These include the SAFE-BioPharma Association, where he is chairman of the board; NH-ISAC, where he serves on the board of directors; the Healthcare Sector Coordinating Council; and the Healthcare Industry Cybersecurity Task Force, which was created by the Cybersecurity Information Sharing Act of 2015.

Rice's entire testimony is available online.

— Source: SAFE-BioPharma Association