Main Menu
Print PDF

Task Force Issues Report on Health Care Industry Cybersecurity Challenges and Recommendations

Cyber Law and Data Protection Alert | June 7, 2017
By: Richard Borden, Lori Smith and Laura Schmidt

On Monday, June 5, the Health Care Industry Cybersecurity Task Force (the “HCIC Task Force”) issued its Report on Improving Cybersecurity in the Health Care Industry to Congress. The report highlighted that health care cybersecurity is a “key public health concern that needs immediate and aggressive attention.”

In the report, the HCIC Task Force identified six “imperatives” that must be achieved to increase security within the health care industry. The six imperatives are:

  1. Define and streamline leadership, governance and expectations for health care industry cybersecurity.
  2. Increase the security and resilience of medical devices and health IT.
  3. Develop the health care workforce capacity necessary to prioritize and ensure cybersecurity awareness and technical capabilities.
  4. Increase health care industry readiness through improved cybersecurity awareness and education.
  5. Identify mechanisms to protect R&D efforts and intellectual property from attacks or exposure.
  6. Improve information sharing of industry threats, risks, and mitigations.

The HCIC Task Force was established by Congress in the Cybersecurity Act of 2015 to address the challenges the health care industry faces when securing and protecting itself against cybersecurity incidents, whether intentional or unintentional. Recognizing the complex nature of the United States health care system and the need to bring together representatives of numerous constituencies from both public and private sectors, the HCIC Task Force consists of individuals representing the federal government, hospitals, public and private payers, pharmaceutical companies, medical device manufacturers, technology companies and others. 

Also in the report, the HCIC Task Force notes that the U.S. health care industry is facing several challenges, such as the lack of security talent in the health care sector, the widespread use of legacy equipment, premature or overconnectivity without secure design or implementation, vulnerabilities that impact patient care, and an epidemic of “known vulnerabilities.” These challenges are further compounded by the health care industry’s complex structure, which include a diverse range of participants and a tangled web of well-intentioned federal and state laws and regulations, which in some cases are inconsistent and incapable of being reconciled and in others may be impeding the sharing of data and other matters that are vital to improving our health care system and the delivery of patient care. The HCIC Task Force also recognized that these challenges are expected to continue to increase as the Internet of Things, automated medical delivery systems, and other digital health initiatives become an integral part of the health care system.  

Each of the six imperatives feature a cascade of recommendations and related action items for implementation. The HCIC Task Force notes in the report that successful implementation of these imperatives will require further collaboration between the public and private sectors. In total, the recommendations discuss changes to existing regulations and laws that impact the health care industry and the creation of new regulations and frameworks that are specifically designed for the health care industry.

We are continuing to review the HCIC Task Force’s report and will provide additional insight with respect to the six recommendations and the associated action items in the near future. If you have questions or would like more information, please contact Richard Borden (bordenr@whiteandwilliams.com; 212.631.4439), Lori Smith (smithl@whiteandwilliams.com; 212.714.3075) or Laura Schmidt (schmidtl@whiteandwilliams.com; 215.864.6333).

This correspondence should not be construed as legal advice or legal opinion on any specific facts or circumstances. The contents are intended for general informational purposes only, and you are urged to consult a lawyer concerning your own situation with any specific legal question you may have.
Back to Page