The U.S. Department of Health and Human Services’ (HHS) recent initiation of voluntary cybersecurity performance objectives for the healthcare sector signifies positive progress in the enduring war against increasingly advanced cyberattacks. This guidance points the way toward a sturdier and more resilient healthcare system in the U.S., with similar strides being made internationally, according to Taylor Lehmann, a cybersecurity executive at Google Cloud.
Lehmann, who was formerly the chief information security officer (CISO) at athenahealth and Tufts Medicine, emphasized that these regulatory steps should be aligned with industry collaboration and information sharing to drive sustainable change. He stated, “The benefit of the cyber performance guidelines is that it indicates where the ball is bouncing next, and what the standards and expectations are for what organizations should be working on.”
Lehmann believes that HHS’ recommendations will ultimately end up being key components in the final rulemaking or as regulatory requirements that are established as law in the future. This is a significant consideration for healthcare providers; some are already well into their digital transformations, while others continue to rely on outdated legacy IT systems.
Whether a hospital is prepared to achieve these cybersecurity goals largely depends on its size, budget, and resources for an IT security team. But despite these variations, Lehmann pointed out a unanimous blind spot in the healthcare industry – the absence of proper base-level security implementations such as multi-factor authentication and the use of unique credentials.
He highlighted the importance of identity as a control mechanism and urged all hospitals to concentrate on bolstering security in this area. Furthermore, he stressed the need for regular penetration testing and technical assessments to reveal high-impact and low-effort ways for hackers to breach a system, and simple remediations that could potentially provide immediate protection.
Lehmann’s final advice to healthcare providers is – test and fix until a baseline of security control is established, then start considering how to prioritize voluntary goals like the HHS’ cybersecurity performance goals. As he noted, “Trust in systems, especially those that haven’t been assessed before, needs to be established regularly and continuously.”
If you wish to read more insights from Taylor Lehmann on this topic, you can visit here.