The Report on Improving Cybersecurity in the Health Care Industry – where and how to start updating your cybersecurity strategy

On Friday, June 2nd, the U.S. Department of Health and Human Services (HHS) published The Report on Improving Cybersecurity in the Health Care Industry. The report is authored by the HHS Health Care Industry Cybersecurity Task Force – a team comprised of top IT security and technology experts in both the public and private sectors, including Imprivata’s own David Ting.

Along with 20 other individuals, David has worked to develop recommendations in six strategic areas that will help healthcare organizations to combat cyber threats. David spearheaded sections on identity and access management – components that are critical to ensuring security and cyber resiliency.

The report examines ways to establish trust and resiliency across six key areas of cybersecurity preparedness, and offers recommendations and action items for consideration by policymakers and other stakeholders within the healthcare industry.

Digital transformation and desktop virtualization are accelerating in healthcare, and the historically paper-based industry is going electronic. But as digitization accelerates, so do cyber threats, as evidenced by the recent WannaCry attack. In fact, nearly 90% of healthcare organizations have been attacked in the last two years. Now, more than ever, having an effective security strategy that is trusted across the healthcare enterprise – especially as it relates to cyber threats – is a must. But healthcare needs to take into account more than just technology in order to have a truly valuable security strategy.

The report focuses on the importance of converging strategies across technologies, processes, and people, and offers concrete suggestions on how to go about securing an enterprise, such as:

  • Recommendation 1.2: Establish a consistent, consensus-based health care-specific Cybersecurity Framework. The framework should build upon the minimum standard of security required by the NIST Cybersecurity Framework and the HIPAA Security Rule to promote a single lexicon for the healthcare sector, as well as standards, guidelines, and best practices.
  • Recommendation 2.1 – Secure legacy systems. Many legacy systems, such as medical devices and EHR applications, have security weaknesses which can contribute to systems being compromised. Securing those systems is part of ensuring the security of an enterprise.
  • Recommendation 2.4 – Require strong authentication to improve identity and access management for health care workers, patients, and medical devices/EHRs. Delivery of effective care is based upon a confidence and trust in the identities of the individuals involved. Through strong, multi-factor authentication and the use of biometrics, provider identities can be known, and patients can be positively identified all the time, every time.

The Report on Improving Cybersecurity in the Health Care Industry will serve as a foundation for healthcare organizations looking to bolster – or perhaps create – their cybersecurity strategies.

Learn from David Ting about how your organization can create actionable cybersecurity strategies, based on recommendations from the report, by registering for our webinar, scheduled for
June 27th.


Congratulations to David Ting, CTO and co-founder of Imprivata, and all of the other Task Force members, on their hard work and dedication, culminating in this report!

Find more cybersecurity resources and insights here.