HHS Releases New Cybersecurity Guidance
In a four-part publication, a Task Force that included the Department of Health and Human Services (HHS) and private sector industry leaders released guidance for the healthcare industry on cybersecurity best practices. The guidance, Health Industry Cybersecurity Practices (HICP): Managing Threats and Protecting Patients, focuses on healthcare providers, payors and pharmaceutical companies.
This post takes an in-depth look at the guidance.
The Cybersecurity Act of 2015 required HHS, in collaboration with healthcare industry stakeholders, to “establish a common set of voluntary, consensus-based, and industry-led guidelines, best practices, methodologies, procedures, and processes” to reduce the cybersecurity risks to healthcare organizations. In response to this mandate, HHS convened a Task Force of more than 150 healthcare and cybersecurity experts and government partners to develop and publish the HICP.
The guidance falls into three distinct parts. The first, known as the Main Document, details the current cybersecurity threats facing the healthcare industry and provides practical tips to help mitigate these threats. Technical Volumes 1 and 2 provide technical support for IT professionals in the industry. And the final section contains Resources and Templates to help organizations develop their own cybersecurity policies and procedures.
The Main Document
The Main Document focuses on current cybersecurity threats facing the healthcare industry. Using a scenario all too familiar to healthcare professionals, the influenza virus, the Main Document distinguishes between threats and vulnerabilities and what they each mean for the industry. According to the HICP, a threat is an internal or external activity or event that has the potential to negatively affect an organization. Vulnerabilities, on the other hand, are weaknesses that, if exposed, may result in harm to the organization. “A threat often exploits a vulnerability.”
The HICP cautions healthcare professional to focus on the basics and practice effective “cyber hygiene.” Current threats described in the HICP include:
- e-mail phishing attacks;
- loss or theft of equipment or data;
- insider, accidental, or intentional data loss; and
- attacks against connected medical devices that may affect patient safety.
Each identified threat contains a graphic detailing a description of the threat, real-world scenarios, and “Threat Quick Tips.” The graphic also contains a chart outlining the vulnerabilities, impact, and practices to consider related to each threat.
The first threat discussed in the Main Document is a common cybersecurity threat known across all industries: the e-mail phishing attack. An e-mail phishing attack is an attempt to trick the e-mail recipient into giving out information to an unauthorized individual. For example, employees may receive an e-mail disguised as an IT request with instructions to change their passwords. Once an employee clicks on the link contained in the e-mail, the employee is re-directed to a fake login page that collects the employee’s login credentials and sends this information to the hacker. The Main Document discusses the impact of phishing attacks on the healthcare industry, including loss of reputation, patient identity theft, and the potential inability to provide timely and quality patient care. The vulnerabilities that lead to this type of threat include the lack of awareness training, lack of IT resources managing suspicious e-mails, and lack of software scanning e-mails for malicious content.
The HICP contains practices to consider, and cross references sections of Technical Volumes 1 and 2 where IT professionals can find support to implement effective cybersecurity mitigation practices. To help address e-mail phishing attacks, the HICP suggests that, in appropriate instances, tagging or otherwise flagging emails that come from external sources (outside the organization’s own network) to make them more recognizable to staff.
The Main Document also contains “Threat Quick Tips” for healthcare professionals. The “Threat Quick Tips” explain “What to Ask,” “When to Ask,” and “Who to Ask” when healthcare professionals are faced with cybersecurity threats.
Technical Volumes 1 and 2: Cybersecurity Practices for Small, Medium, and Large Organizations
The HICP also includes Technical Volumes 1 and 2 that are designed to help healthcare organizations mitigate threats. Technical Volume 1 is designed for small organizations, while Technical Volume 2 is geared towards medium and larger organizations. Understanding that not all organizations are similarly situated, the Task Force provided guidance for organizations of varying sizes.
The Technical Volumes are organized into ten cybersecurity practices to mitigate the current cyber threats identified in the Main Document. These ten practices are then divided into sub-practices depending on the size of the organization. Table 2 Cybersecurity Practices and Sub-Practices for Small Organizations is shown below to demonstrate the ten cybersecurity practices and various sub-practices.
The cybersecurity practices were designed to align with the National Institute of Standards and Technology or NIST Framework to manage cyber threats: identify, protect, detect, respond, and recover. The Technical Volumes guide healthcare organizations to achieve the outcomes identified by the NIST Framework.
Resources and Templates
The final section of HICP includes Resources and Templates. Here, healthcare organizations can find assistance to determine which practices to prioritize and implement first, template policies and procedures, and a helpful appendix of commonly used cybersecurity acronyms and abbreviations, among other things.
Deputy Secretary of Health and Human Services Eric Hargan notes that healthcare technology and innovation is “a cause for optimism,” but cautions that the same technology “can directly threaten not just the security of our systems and information but also the health and safety of American patients.” Hargan invites anyone “interested in cybersecurity and patient safety” to get involved in the Task Force.
The HICP is voluntary guidance intended as a tool that healthcare organizations might consider as part of an overall cybersecurity program including in assessing the sufficiency of existing systems and controls.