MITRE has released a comprehensive report addressing healthcare cybersecurity and patient safety. The report focuses on improving national cybersecurity, modernizing regulations, developing the healthcare cybersecurity workforce, enhancing the cybersecurity capabilities of healthcare organizations, emergency preparedness, and cybersecurity in home healthcare. MITRE’s unique perspective as a research organization enables them to provide valuable insights and best practices for incorporating cybersecurity into healthcare settings. The report emphasizes the shared responsibility of implementing cyber hygiene practices while ensuring they do not compromise patient safety.
MITRE, a federally-funded nonprofit research organization, has published a new whitepaper in response to the policy paper titled “Cybersecurity is Patient Safety: Policy Options in the Health Care Sector” introduced by Sen. Mark Warner, D-Va. This latest MITRE report aims to gather insights and recommendations for enhancing cybersecurity measures within the healthcare industry, consequently improving patient safety.
The report titled “Cybersecurity and Patient Safety in the Healthcare Setting” focuses on several key areas:
- Enhancing the national cybersecurity risk posture in the healthcare sector
- Modernizing regulatory frameworks, including the security and privacy rules of the Health Insurance Portability and Accountability Act (HIPAA), to bolster cybersecurity protections
- Developing a skilled healthcare cybersecurity workforce
- Strengthening the cybersecurity capabilities of healthcare delivery organizations
- Emergency preparedness and response strategies
- Addressing Cybersecurity in the Context of Healthcare at Home
Additionally, the MITRE report provides a step-by-step approach and includes valuable links to relevant cyber frameworks and training resources.
MITRE emphasizes its unique perspective in this domain as a research organization collaborating with government entities and healthcare stakeholders to tackle threats and contribute to defense planning. Their subject matter and technical experts identify and compile best practices for integrating cybersecurity into healthcare settings, fortifying institutions against cyber attacks, and aiding the development of cybersecurity policies that address emerging threats.
The increasing frequency of cyberattacks targeting hospitals and healthcare networks with the intention of ransomware attacks or the unauthorized extraction of sensitive consumer and health data has drawn significant attention from policymakers. Notably, both healthcare organizations and technology companies like NextGen, an electronic health records vendor, have fallen victim to such attacks. NextGen experienced a ransomware attack in January and, more recently, unauthorized access that exposed the personal data of over one million patients.
In light of these incidents, Dave Bailey, Vice President of Security Services at Clearwater, emphasizes the need for immediate response and the execution of effective playbooks and response procedures when a cyberattack is confirmed. He advises organizations to assume that threat actors have been active on their networks, compromised one or more accounts, and exfiltrated data. Furthermore, Bailey stresses the importance of implementing third-party risk management programs that assess vendors based on patient safety risks. High-risk vendors must demonstrate the presence of robust controls to protect patient information and ensure organizational success and quality outcomes.
MITRE’s Center for Data-Driven Policy underscores the shared responsibility of implementing cyber hygiene practices among the federal government and private sector. With evolving technologies and increasingly sophisticated attackers, the process of creating cyber hygiene practices needs to be streamlined and adaptable to different clinical environments, varying levels of expertise, resource availability, and computational capabilities. These practices must also be designed in a way that does not inadvertently compromise patient safety.