The healthcare sector has a big problem. There's a great deal of information security immaturity and a lack of resources among smaller clinics, rural hospitals and other organizations. In the push to exchange electronic patient data nationwide, those entities are potential weak links in the security chain.
More has to be done to ensure these smaller organizations are aware of emerging cyberthreats and vulnerabilities - and are prepared to mitigate them. That potentially requires more handholding from federal agencies - such as by issuing timely cyber-alerts and guidance. But it also means broader outreach and more affordable membership fees for information sharing organizations, such as the National Health Information Sharing and Analysis Center and others, so that the little guys are also in the cybersecurity intelligence loop.
More has to be done to ensure smaller organizations are aware of emerging cyberthreats and vulnerabilities - and are also prepared to mitigate them.
Last week, the Department of Health and Human Services took an important initial step toward addressing the issue of improving cyberthreat information sharing. HHS announced it would investigate various options to ensure important cyber-intelligence gets to all healthcare organizations, regardless of size. It's weighing whether to establish another ISAC for the healthcare sector or bolster the capabilities of an existing organization.
It's good to see that HHS is focusing attention on an important issue, although the move is long overdue. Now, it's time for the agency to take prompt leadership action, because improving accessibility to cyberthreat intelligence for organizations of all sizes is urgent, in light of growing evidence that the healthcare sector is increasingly being targeted by hackers.
For example, Boston Children's Hospital was hit by a distributed-denial-of-service attack earlier this year. And Community Health Systems fell victim to a hack attack, perhaps involving the Chinese, that exposed millions of records.
The old adage says that you're only as strong as your weakest link. At a time when healthcare providers are being urged by the federal government to exchange electronic patient records to improve the quality of care - and consumers want to share health data they collect on their own wearable gadgets - we must eliminate weak spots. That means we must make sure, for instance, that providers of all sizes and types have timely access to information about new malware, software flaws or cyberthreats - and the steps they need to take to mitigate those issues.