Health Industry Cybersecurity Practices

“For smaller sized organizations it’s quite normal to believe you will not be targeted or the victim of any cyberattacks. After all, why would a cyber criminal care about your local business? The truth of the matter is most cyberattacks are “opportunistic”; this means the criminals cast a wide net when they are looking for victims. Think of sea faring fishermen. The methodologies they use involve scouring the seas, casting their nets, and pulling in the fish that are caught. As an individual fish in the sea you might think it’s quite unlikely you will be captured. However, what is guaranteed is that the fishermen will get some fish.”

 

Overview

Cyber threats to healthcare entities put patient health, business continuity, and IT systems at risk. Under the auspices of the Cybersecurity Act of 2015 (CSA), Section 405(d), HHS convened the CSA 405(d) Task Group to enhance cybersecurity and align industry approaches by developing a common set of voluntary, consensus-based, and industry-led guidelines, practices, methodologies, procedures, and processes that healthcare organizations can use to enhance cybersecurity.

Health Industry Cybersecurity Practices: Managing Threats and Protecting Patients (HICP) was developed to raise awareness, provide vetted cybersecurity practices, and move organizations towards consistency in mitigating the most pertinent cybersecurity threats. The HICP provides guidance on cost-effective methods that a range of healthcare organizations at every size and resource level can use to reduce cybersecurity risks.

The 405(d) Aligning Health Care Industry Security Practices initiative, along with the Health Industry Cybersecurity Practices: Managing Threats and Protecting Patients (HICP) publication for which these videos are related too, are in partnership with the Healthcare & Public Health Sector Coordinating Council (HSCC)​

Technical Volume 1: Cybersecurity Practices for Small Health Care Organizations

 

#1 – Introduction and Email Protection Systems

Most small practices leverage outsourced third-party e-mail providers, rather than establishing a dedicated internal e-mail infrastructure. The e-mail protection practices in this section are presented in three parts:

1. E-mail system configuration: the components and capabilities that should be included within your e-mail system

2. Education: how to increase staff understanding and awareness of ways to protect your organization against e-mail–based cyberattacks such as phishing and ransomware

3. Phishing simulations: ways to provide staff with training on and awareness of phishing e-mails

#2 – Endpoint Protection Systems

A small organization’s endpoints must all be protected. But what are endpoints? And, what can a small healthcare organization do to protect their endpoints?

David Willis, MD and Kendra Siler, PhD with the Population Health Information Analysis and Sharing Organization at the Kennedy Space Center are here to discuss what you should be doing to reduce the chances of a cyber attack penetrating your endpoints.

#3 – Access Management

In this section, we will be discussing Cybersecurity Practice Area Number 3 – Access Management for small healthcare organizations.

This discussion will be organized into three sections:

1. What is access management?

2. Why is it important?

3. How can HICP or “hiccup” help improve access management for small healthcare organizations?

#4 – Data Protection and Loss Prevention

The National Institute of Standards and Technology, or NIST for short, defines a data breach as “an incident that involves sensitive, protected, or confidential information being copied, transmitted, viewed, stolen or used by an individual unauthorized to do so.”

Sensitive, protected, or confidential data includes Protected Health information (PHI), credit card numbers, customer and employee personal information, and your organization’s intellectual property and trade secrets.

 

#5 – Asset Management

What information technology, or IT devices, do you have in your organization? Do you know how many laptops? mobile devices? And network switches you have in all your locations? Which ones run Windows or Apple’s IOS or one of Android’s several operating systems? If it isn’t attached to a wall or a desk, who is responsible for each device?

#6 – Network Management

Networks provide the connectivity that allows workstations, medical devices, and other applications and infrastructure to communicate.  Networks can take the form of wired or wireless connections.  Regardless of the form, the same mechanism that fosters communication can be used to launch or propagate a cyber-attack. 

Proper cybersecurity hygiene ensures that networks are secure and that all networked devices can access networks safely and securely. Even if network management is provided by a third-party vendor, organizations should understand key aspects of proper network management and ensure that they are included in contracts for these services.

#7 – Vulnerability Management

Vulnerability management is a continuous practice of identifying, classifying, prioritizing, remediating, and mitigating software vulnerabilities.  Many information security compliance, audit and risk management frameworks require organizations to maintain a vulnerability management program. 

#8 – Incident Response

Incident response is the ability to identify suspicious traffic or cyberattacks on your network, isolate it, and remediate it in order to prevent data breach, damage, or loss. Typically, incident response is referred to as the standard “blocking and tackling” of information security. Many types of security incidents occur on a regular basis across organizations of all sizes.  In fact, most networks are under constant attack from outside entities.  

#9 – Medical Device Security

Health care systems use many different devices as part of routine patient treatment. These range from imaging systems to devices that directly connect to the patient for diagnostic or therapeutic purposes. Such devices may have straightforward implementations, such as bedside monitors that monitor vital signs, or they may be more complicated, such as infusion pumps that deliver specialized therapies and require continual drug library updates. These complex and interconnected devices affect patient safety, well-being, and privacy, and they represent potential attack vectors in an organizations’ digital footprint. As such, these devices should include security controls in their design and configuration to support being deployed in a secure manner.

#10 – Cybersecurity Policies

Cyber Security Practice #10: Cybersecurity Policies includes best practices which are document specific to the implementation of cybersecurity policies and procedures in your healthcare organization.