The independent, Congressionally mandated Health Care Industry Cybersecurity Task Force released its report last week, setting out their findings about the state of security in America’s health technology (very, very, very bad) and their recommendations (basic commonsense cybersecurity 101).
report this ad
Critically, the report says that without direct, meaningful, extensive government intervention, the problems cannot be fixed. Given the current regulatory climate, it’s unlikely that this will happen.
The report found that the current dismal state was due primarily to two factors: “premature and excessive connectivity” (buying Internet of Things technology before it was ready for primetime) and “a severe lack of security talent in the industry” (hospitals can’t bid against tech giants and startups for IT and security talent).
The problems were accelerated by Congressional incentives to adopt and spread electronic health records, and Medicare and Medicaid’s “Merit-Based Incentive Payment System,” which caused hospitals and doctors to rush into technology they couldn’t support and didn’t understand.
The task force’s recommendations are very straightforward: “define governance expectations,” “increase security,” “develop cybersecurity capacity in the healthcare workforce,” “increase cybersecurity preparedness,” “identify mechanisms to protect systems”, and “improve industry sharing” of threat-related intel.
So, just that.
It was clear to everyone on the task force, Corman noted, that there were no technical barriers to a “sustained denial of patient care like what happened at Hollywood Presbyterian, on purpose” at virtually any healthcare facility in the United States. “I said we all make fun of security through obscurity, but what if that’s all we have?” Corman recounted. “Seriously. What if that’s all we have?”
Given that untargeted and incidental attacks on hospitals have already happened, it seems inevitable that someone will carry out a targeted attack at some point. Corman said that increases the importance of doing disaster planning and simulations now to optimize responses, “so we can see who needs to have control—is it FEMA, the White House, DHS, HHS, the hospitals? We drill with our kids what you’re supposed to do in a fire. Before we have a boom, we need to prioritize simulations, practice, and disaster planning.”
Another part of planning for the post-attack scenario—or “right of boom”—is to make sure that the right supports are in place to quickly recover. “We need to make sure that we’ve done enough scaffolding now so that we can have a more elegant response,” Corman said, “because if this looks like Deepwater Horizon, and we’re on the news every night, every week, gushing into the Gulf, that’s going to shatter confidence. If we have a prompt and agile response, maybe we can mitigate the harm.”
REPORT ON IMPROVING CYBERSECURITY IN THE HEALTH CARE INDUSTRY [Health Care Industry Cybersecurity Task Force]
Task force tells Congress health IT security is in critical condition
[Sean Gallagher/Ars Technica]
report this ad
Pity poor Turla, the advanced persistent threat hacking group closely associated with the Russian government who were outed yesterday for their extremely clever gimmick of using Britney Spears’s Instagram account as a covert channel for controlling compromised computers in the field while protecting their “command and control” servers; today, Turla faces another devastating disclosure, a […]
A key weakness in malicious software is the “Command and Control” (C&C) system: a central server that the malware-infected systems contact to receive updates and instructions, and to send stolen data. Anti-malware researchers like to reverse engineer malicious code, discover the C&C server’s address, and then shut it down or blacklist it from corporate routers.
An anonymously leaked Top Secret NSA report on Russian state hackers interfering with the US elections has been published by The Intercept, which had the documents independently analyzed by a who’s-who of America’s leading security experts.
Apple makes it hard to not use iCloud, at least for a few things. Since their cloud storage is baked so deeply into iOS, using iTunes on the desktop to manually move files and backup your device can sometimes feel like an awkward step backwards. To give your iPhone more flexibility to manage large files […]
Few things are as relaxing than an afternoon laying around in the sun. But no matter how careful you are, wet towels always seem to track some sand back home with you. The Quicksand Mat eliminates this beach-going annoyance by letting sand easily pass through.Whether you use it as a blanket or a buffer to […]
Drones are the perfect way to cheaply shoot aerial video, but it can be difficult to accurately point its camera when your view is limited to a tiny smartphone screen. This quadcopter offers a first-person view of the action in immersive 3D, so you can frame your shots as if you were flying.The Micro Drone […]
report this ad