Given the recent increased attacks on healthcare providers, this is a good time to review the guidelines for healthcare cybersecurity best practices as directed within HSS CSA 405(d).
This blog discusses the importance of HSS CSA 405(d) and why healthcare providers need to implement these guidelines.
The backdrop is that when Congress passed the Cybersecurity Act of 2015 (CSA), it instructed the US Dept of Health & Human Services (HHS) to develop a common set of guidelines, practices, methodologies, and processes specifically for healthcare providers. Resulting in HHS developing CSA 405(d) which authorized a coalition of experts to develop a set of Health Industry Cybersecurity Practices (HICP) Guidelines.
Furthermore, these guidelines were developed in alignment with the National Institute of Standards and Technology’s NIST Cybersecurity Framework which is widely accepted as the national industry standard for guidelines regarding cybersecurity mitigation.
In other words, implementing practices according to CSA 405(d) is critical for all healthcare providers. In this blog we’re only going to focus on those that are specific to smaller healthcare providers, clinics and doctors’ offices, referred to in Technical Volume 1: Cybersecurity Practices for Small Health Care Organizations. These 10 cybersecurity practices are summarized below.
1. Email Protection Systems
The report, Cybersecurity in the Healthcare Industry, ranked phishing as one of the top risks and vulnerabilities for healthcare organizations. This is primarily due to human error as phishing attacks have become very convincing and continue to challenge counter measures.
To mitigate and protect against these threats, the HICP guidelines suggest:
Ensure email system is properly configured.
Provide security awareness training to all employees.
Subscribe to a phishing simulation to test and score the human awareness factor.
Implement digital signatures to ensure authenticity.
2. Endpoint Protection Systems
Cloud security firm Wandera reports that malicious network traffic is the highest cybersecurity risk for hospitals and other healthcare providers and affects 72% of all organizations. Endpoint protection systems provide the initial layer of defense against viruses, malware and client-side attacks.
Endpoint protection also includes mobile device management (MDM) software that ensures protected health information (PHI) is protected and can be wiped from a device if it gets stolen or employee is deauthorized.
3. Access Management
Access Management includes clearly identifying all users and their access to data, applications, systems, and endpoints. This includes implementing security controls that manage this access.
In addition to implementing policies for access management, the organization will leverage technologies to enable these policies. For example, Multi-Factor Authentication (MFA) requires the authorized user to approve access, typically via mobile phone code. Single sign-on systems allow the organization to centrally maintain and monitor access.
4. Data Protection and Loss Prevention
Today, PHI data has become even more valuable than credit card data. Data-loss prevention (DLP) solutions help protect and secure data and include traditional data backup/recovery, mobile backup, and cloud backup.
Organizations should develop policies and procedures for managing access to corporate data from a remote device. Here again, MDM solutions are key to enforcing these policies. Device encryption is also key for protecting PHI.
5. Asset Management
IT Asset Management (ITAM) is critical to ensuring that all devices that connect to the network are known and secured. This is due to PHI data that may be stored on the network devices and many medical devices.
It’s important to have an inventory of all devices that connect to the network and control what kind of devices can connect to the network. Be sure to decommission and wipe sensitive data from devices that are removed from the network.
6. Network Management
Most organizations have traditional network access controls but may lack additional measures that are just as important. This includes network segmentation, intrusion prevention, guest access and physical security. These measures are intended to isolate attacks on the network.
7. Vulnerability Management
According to this report by Palo Alto Networks 83% of the US healthcare system is running on outdated software. Vulnerability management helps to identify these outdated versions and includes a plant to rectify. Smaller healthcare organizations more frequently turn to penetration testing to identify vulnerabilities at least once a quarter.
8. Incident Response
Incident response is the ability to discover cyberattacks on the network and prevent them from causing a data breach or loss. All healthcare organizations should have an incident-response plan outlining policies and practices for quickly and efficiently isolating and mitigating adverse security events. These security events should be reported to a national information sharing and analysis organization (ISAO), or local HIE partner.
9. Medical Device Security
Medical device security remains a top concern for healthcare organizations as they weigh patient-safety risks against cyber threats and vulnerabilities.
Medical devices have additional cybersecurity guidelines as published in the Medical Device and Health IT Joint Security Plan, commonly referred to as The Joint Security Plan, or JSP. These guidelines provide a framework for managing medical devices and mitigating cyber-attacks.
In essence, the key vulnerabilities for medical devices include out-of-date operating systems that organizations cannot patch and a lack of asset management.
10. Cybersecurity Policies
Establishing cybersecurity policies, processes and procedures is one of the most effective means for preventing cyberattacks. This includes establishing policies such as roles & responsibilities, security awareness, personal devices, remote use and incident reporting to name a few.
These policies are especially important when an event such as ransomware, theft of equipment or loss of data occurs.
* * * * * * *
Cybersecurity for healthcare organizations has becoming increasingly more complex and challenging, as the need to protect PHI has become more critical. Take these measures to help mitigate cyber-attacks and vulnerabilities.
Need help? RIATA is here to provide the direction and guidance for your practice to implement these Health Industry Cybersecurity Practices (HICP) Guidelines. Contact us for a no obligation consult