Task Force Urges a Cyber Coordinator for Health Care

ESB Professional/Shutterstock.com

HHS should also work with industry to build a cyber emergency response team for medical devices.

The Health and Human Services Department should have a single point person to coordinate cybersecurity initiatives with the health care industry, according to a recent report.

That cyber coordinator should be responsible for working with industry to assess cybersecurity risks and ensuring government efforts to improve health care cybersecurity aren’t working at cross purposes from each other, according to the report from the Healthcare Industry Cybersecurity Task Force.

The coordinator should also be a liaison with other cybersecurity centers in the government, including advocating for health care industry concerns in interagency councils that determine whether U.S. intelligence agencies should disclose newfound software vulnerabilities to manufacturers or save them to exploit against adversaries, the report states.

» Get the best federal technology news and ideas delivered right to your inbox. Sign up here.

The task force also recommends HHS work with industry to build a cybersecurity rapid response team, known as a Medical Computer Emergency Readiness Team, or MedCERT, to specifically respond to vulnerabilities in medical devices.

The report, which was required by a 2015 law focused on cybersecurity information sharing, also recommends developing a cybersecurity best practices guide for the health care industry that builds off a general cybersecurity framework for industry developed by the National Institute of Standards and Technology.

Other recommendations include:

  • Requiring federal agencies to harmonize laws and regulations that affect health industry cybersecurity.
  • Revising regulations to make it easier for hospitals to share cyber threat information.
  • Various action items to improve the cybersecurity of medical devices and health records systems, including developing better controls to verify who is accessing those systems.
  • Various action items aimed at improving the quality of the medical cybersecurity workforce and the cyber education of nontechnical health care workers.