The U.S. Department of Health and Human Services released a new guide, Health Industry Cybersecurity Practices, to help hospitals, physicians, and other healthcare facilities better manage threats and in turn, protect patients.
HHS released the guide (.PDF) last Friday, before the New Year’s holiday.
According to the health department, the goal of the document was to evaluate current cybersecurity threats affecting the healthcare sector, identify weaknesses, and provide practices that experts rank as the most effective to mitigate threats.
The guide breaks down five different threats - an email phishing attack, a ransomware attack, loss or theft of equipment or data, insider, accidental or intentional data loss, and attacks against connected medical devices that may affect patient safety - how they're caused, their impact, and ways to prevent them.
The document covers a lot of well-worn trails, especially when it harps on real world scenarios but as a whole it's a good primer for healthcare organizations just beginning to implement cybersecurity safeguards.
Data loss remained a chief concern of healthcare orgs in 2018; according to the document from January 1 to August 31, the Office of Civil Rights received reports of 192 theft cases affecting over two million individuals.
While some of the data, on laptops, tablets, and smartphones, was physically stolen, in many the data wasn't adequately safeguarded. The absence of encryption for data at rest, a lack of controls, ensuring that equipment and sensitive data isn't moved, can lead to the loss of sensitive patient information, or even proprietary or confidential company information.
The department encourages practices to encrypt sensitive data, implement data backups, acquire data loss prevention tools, and implement a safeguards policy for mobile devices, along with ensuring there's ongoing user awareness training around securing the devices.
In addition to training staff on data access procedures, and using privileged access management tools to ferret out insider, accidental, and intentional data loss, HHS also encourages practices to deploy data loss prevention tools when it comes to detecting and blocking the leakage of protected health information (PHI) and personally identifiable information (PII) via email and web uploads.
Included in the best practices guide are two technical volumes, one intended for small healthcare orgs, another for medium and large healthcare orgs, detailing 10 practices and suggested sub-practices to help mitigate the threats.
- E-mail protection systems
- Endpoint protection systems
- Access management
- Data protection and loss prevention
- Asset management
- Network management
- Vulnerability management
- Incident response
- Medical device security
- Cybersecurity policies
When it comes to data protection and loss prevention goes, HHS encourages medium organizations to classify data, implement data use procedures, backup strategies. It recommends large orgs deploy a form of advanced data loss prevention and ensure there's the ability to map data flows throughout the organization.
The 34-page document is designed to function as a best practices guide for healthcare practices. While all of it is good advice, it is voluntary, meaning none of it is technically required to comply with laws on the book, state and federal, around cybersecurity.
“We do not expect the practices provided in this publication to become a de facto set of requirements that all organizations must implement. Such a dogmatic approach is not effective given the dynamic nature of cybersecurity threats and the fast pace of technology evolution and adoption. Furthermore, we do not guarantee that these practices will aid organizations in meeting their compliance and reporting obligations,” the document reads.
The document comes as a result of Section 405(d) of 2015's Cybersecurity Act, which brought together stakeholders from across the healthcare industry, the Department of Homeland Security, and the National Institute of Standards and Technology, to better align healthcare industry security approaches. The document was produced by the CSA 405(d) Task Group between May 2017 and March 2018.
“The healthcare industry is truly a varied digital ecosystem. We heard loud and clear through this process that providers need actionable and practical advice, tailored to their needs, to manage modern cyber threats,” Erik Decker, a member of the Task Group and Chief Information Security and Privacy Officer for the University of Chicago Medicine (UCM) said in a statement, “That is exactly what this resource delivers; recommendations stratified by the size of the organization, written for both the clinician as well as the IT subject matter expert.”
