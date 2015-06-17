The healthcare sector in the U.S. is in critical condition and in dire need of an overhaul to address widespread and systemic information security weakness that puts patient privacy and even safety at risk, Congressional Task Force has concluded.

The report, released to members of both the U.S. Senate and House of Representatives on Friday concludes that the U.S. healthcare system is plagued by weaknesses, from the leadership and governance of information security within healthcare organizations, to the security of medical devices and medical laboratories to hiring and user awareness. Many of the risks directly affect patient safety, the group found. It comes amid growing threats to healthcare organizations, including a ransomware outbreak that affected scores of hospitals in the United Kingdom.

The final report by the Health Care Industry Cybersecurity Task Force [PDF] is a call to arms for the healthcare sector, featuring more than 30 pages of recommendations and "imperatives," some of which are bound to be the source of controversy. Among other things, the report calls for the creation of a leader role within the Department of Health and Human Services (HHS) focused on cyber security.

[...] The report describes the U.S. healthcare system as a "mosaic" of large health systems, single physician practices, public and private payers, research institutions, medical device and software companies, the U.S. healthcare sector services a diverse and widespread patient population, often through small practices and rural hospitals. The complexity of the system introduces risk and complicates the job of establishing comprehensive cyber security standards.

[...] The report comes amidst a dawning recognition that the nation's biomedical infrastructure is highly connected and vulnerable, said Dale Nordenberg, the Executive Director of the Medical Device Innovation, Safety and Security Consortium.

[...] To tackle the problem, Congress needs to take a holistic approach, notes Fernando of Underwriters Laboratories. "We're not dealing with silo'd and vertical industries. There's a lot of cross cutting." Funding from the federal government won't solve the problem alone, but federal money can promote activities that, over time, will result in public sector and industry action to improve cyber security, he said.