Skip Ribbon Commands
Skip to main content
Skip over global navigation links
U.S. Department of Health and Human Services


Join the Conversation: Cybersecurity Challenges to Health Care

Author: Stephen Curren, Director, ASPR Office of Emergency Management, Division of Resilience
Published Date: 8/18/2016 11:29:00 AM
Category: Public Health Preparedness;

Implementing effective strategies and safeguards to address cybersecurity threats is a challenge for any industry, but the size and scope of attacks on health care information systems have grown rapidly in the past two years. Health care data can be used for to commit fraud or identity theft. It can also be used to disrupt of hospital systems. Connected medical devices with cybersecurity vulnerabilities left unaddressed could pose a risk to patient safety. Security of health care data and medical devices is essential to protecting patients and providing them with the highest level of care.

The Health Care Industry Cybersecurity Task Force is looking for your input to help improve cybersecurity across the industry. The Task Force is working to help identify risks, gaps, challenges, and best practices related to cybersecurity issues in the health care sector.

If you have an interest and expertise in health information technology, please help us better understand how you evaluate and mitigate risks related to cybersecurity in the health care sector and what gaps you think still remain.

Please take a few minutes to answer any or all of the following questions in comment to this blog. We are working to stimulate discussion and share the best ideas, so your responses may be made public. Please do not include any propriety, personal/private, sensitive, or confidential information.

  • What are the top cybersecurity risks and concerns unique to the health care sector?
  • What best practices are currently being employed by other sectors that might help us improve the security of the health care sector?
  • What are the biggest gaps and challenges for the development and deployment of medical devices and electronic health records?
  • How can the health care sector be better educated with regard to cybersecurity?
  • What challenges do health care sector organizations have to overcome in order to share cyber related incidents with a consortium?

Enhancing cybersecurity in the health care sector can help reduce risks for the industry and give patients peace of mind. The Task Force will use these inputs to augment its work and to support the broader goals of gathering information to disseminate to health care industry stakeholders; creating a single system for the Federal Government to share actionable cyber threat information; and developing the final report to Congress.

The Health Care Industry Cybersecurity Task Force was established by the U.S. Department of Health and Human Services in March 2016 per the Cybersecurity Information Sharing Act of 2015. The Secretary of Health & Human Services, in coordination with the Department of Homeland Security and the National Institutes of Standards and Technology, selected a broad array of expert representatives from the Federal Government, private sector health care organizations, other public and private sector experts on information technology and cybersecurity.

The Task Force holds monthly meetings to review its progress and identify concerns and practices both internal and external to the health care sector. The Task Force opens its meetings to the public on a quarterly basis. During the April and July meetings the Task Force received briefings from Federal leadership about the importance of cybersecurity for the health care sector, gained insight about the processes and best practices of other sectors, and reviewed the results of cybersecurity exercises and medical device workshops.

As Acting Assistant Secretary Mary K. Wakefield has indicated when she announced the formation of the Task Force, we need to protect the data that is at the foundation of our health care system. With your input, we hope to do that more effectively and find more efficient ways for the industry as a whole to protect health care information.


Touches on many of the stated topics

After attending the Emergency Preparedness Summit in Atlanta a couple years ago, a breakout session heightened my awareness of all the USB ports on medical equipment. I still moonlight in a hospital in security and just started noticing most equipment has a USB port, I would assume for upgrades. The story related in Atlanta was OR staff charging phones from equipment during surgery. In today's environment people don't understand or just don't care about the capacity for phones. iPods, etc. to insert a virus or to steal information. To me, this is one of the biggest challenges on many fronts.
9/7/2016 9:11:12 AM

Responses to the Questions

1)Top Security Risks a.Education - for years and years it has been beat in to the healthcare worker mindset of “Do not lose PHI information.” While that is extremely important, there is a lot more to cyber security than “losing PHI information”. A hospital staff person related to me, “I am the Security Officer and seek to improve my skills and abilities but have not found anyone who can direct me in how to gain the education I need to move forward in my role and skills. Training programs, IT mentors are needed to help individuals to improve their skill level or ability to provide their facilities the help they need to be better prepared and/or able to handle the IT role.” b.IT Support – lack of skilled cyber security employees or at smaller rural hospitals, no on-site IT support at all. It is all contracted off site. As one hospital personnel related to me “Our facilities cannot afford the cost of having our own onsite IT technician. We participate in a data center that periodically sends out support for projects, major emergencies and basic upgrades and changes. Day to day support is lacking.” 2)Being Better Prepared/Sharing Information a.Lessons Learned – There is a distinct lack of detailed lessons learned from hospitals, public health and other healthcare entities, who have gone thru a cyber event. Probably on advice from counsel, healthcare entities are unwilling to acknowledge anything has happened, much less talk about it and help peers learn from their experience. Solution – Is it online training? Webinars? Or onsite training? I don’t know, but the training has to be peer to peer and focused on that specific audience. What is given to staff vs IT personnel vs Executive Leadership should not be the same. I’ve seen lots of reports, articles and papers from “experts” that dictate you have to do this, this and this. That’s great for healthcare personnel who have the time to dig thru all that, but most don’t. Because cyber security, in the healthcare sector, is such a vast, complex issue, my opinion is that a lot of facilities don’t even know where to start.
9/9/2016 9:02:46 AM

Comments to Cyber Task Force

Thank you for the opportunity to listen in to the Cyber Task Force meeting Oct 26th. I have a couple of comments I wish to share. These are in addition to the comments 9/9/2016 9:02:46 AM. I work for the State of Kansas and one of my tasks is to monitor the cyber activity on-going and to weed out all the noise and develop educational briefings or reports for the Healthcare Sector across the state. I have to agree with a couple of speakers who stated that the amount of cyber information being generated by numerous private and government partners is overwhelming. I can’t imagine what it would be like for a medium/small hospital security officer to wade through all the regulatory/legal and advice noise, to come up with actionable information. The boots on the ground individuals don’t have time to read thru multiple reports and websites to keep up to date. I am starting to see cyber fatigue. And lastly, HHS/CDC education, I have yet to hear anything about cyber preparedness, mitigation etc from anyone outside of senior level personnel who are intricately involved with the issue. It’s almost like it doesn’t exist outside of DC or a couple of people in Atlanta. Everyone is well versed in preparedness in SNS/HPP/HCC/PHEP planning but ask about cyber planning assistance to the healthcare sector. Nothing. Thank you for your time. David Marshall
10/28/2016 8:35:27 AM

Add Comments:

This is a moderated blog-we will review all comments before posting them. To learn more, please see ASPR Blog and Social Media Comments.


Please validate the following expression by entering the correct numeric value.
Question: What is eight - three ?