Analysis: Are HHS Cybersecurity Recommendations Achievable?
Experts Sort Through New Task Force Report
A new Department of Health and Human Services report to Congress containing more than 100 recommendations for how healthcare can better address cybersecurity threats is stirring debate over whether smaller organizations will be able to take the recommended actions.
“Even though the task force did not have a much representation from small and rural providers, I was impressed with the numerous references to small and rural providers and the suggestions for helping them,” says Tom Walsh, president of the consulting firm tw-Security. “The task force gets it. Folks that reside inside the Washington D.C. beltway often forget that the majority of healthcare in our country is delivered in small or rural settings.”
For instance, the report notes: “We recommend that industry create more low-cost, managed security service provider models to support smaller and under-funded entities in order to ensure that they have the same level of robust, state-of-the-art security monitoring, defensive, and reporting capabilities as larger healthcare organizations.”
This would allow healthcare organizations to leverage resources and expertise, “such as a shared security official, and will create economies of scale. MSSPs would be better resourced to engage in information sharing activities, such as Information Sharing and Analysis Organizations,” the report adds.
The report recommends that the federal government “should evaluate incentive options, such as grants and tax incentives, to encourage more MSSPs to achieve economies of scale to support small and medium-size health care providers.”