A federal task force released its long-awaited cybersecurity recommendations report Friday evening.
The far-reaching report from the Health Care Industry Cybersecurity Task Force was mandated by the Cybersecurity Act of 2015.
The task force convened 21 wide-ranging stakeholders in medical cybersecurity, ranging from device manufacturers to hospitals to consumer advocates.
Workforce issues are the “most foundational problem” for much of the sector, said Josh Corman, co-founder of the device cybersecurity advocacy group I Am The Cavalry and member of the task force. While all industries are bracing for a cybersecurity talent crunch, healthcare faces a few unique problems.
“It’s not just that small- and medium-sized businesses lack funding to incentivize talent. It’s not just the growing lack of talent or encouraging people to go to rural locations. It’s all of them,” Corman said.
Though the Health Insurance Portability and Accountability Act (HIPAA) requires healthcare offices to designate an employee in charge of information privacy, many have no training in cybersecurity. Some offices only employ staff in the single digits, meaning an investment in a new full-time worker to handle information security would be an untenable investment.
The challenge, said Corman, is to scale existing talent while working toward more complete security staffing.
One of the report’s more counterintuitive suggestions targets scaling this kind of talent by amending anti-kick back laws that could prevent a larger healthcare provider from sharing security software or resources with smaller offices.
Other models for scaling resources include pooling multiple office resources into hiring a multi-organization chief information security officer.
Source: The Hill