HHS Publishes Health Industry Cybersecurity Practices

Privacy and Data Security

In December 2018, the Department of Health and Human Services published “Health Industry Cybersecurity Practices: Managing Threats and Protecting Patients” (HICP). The HICP addresses five common cybersecurity threats and ten practices to mitigate these threats, and serves as a call to action for healthcare organizations to detect these common threats and implement mitigation controls to protect patient safety.

The HICP is a voluntary guidance document and not a regulatory requirement. The goals of the HICP are to raise awareness and provide common cybersecurity practices to ensure a consistent approach in mitigating the most prevalent cybersecurity threats in the healthcare industry. The document also provides guidance on cost-effective methods that every healthcare organization, regardless of size, can utilize to reduce cybersecurity risks.

It is well-known that cyberattacks against healthcare organizations have increased. According to the Health and Human Services (HHS) Office for Civil Rights (OCR) breach portal, there were 256 data breaches involving 500 or more individuals from January 2018 to October 2018. Out of those 256, there were 112 cyberattacks that compromised over 5 million patient records. A Beazley study conducted in 2017 found that 45% of ransomware attacks involved the healthcare industry. Cyber criminals are automating their attacks by using Ransomware-as-a-Service (RaaS) to target multiple victims all at once. Due to the increased use of RaaS, we predict ransomware attacks will continue to grow.

Background

In 2015, the United States Congress passed the Cybersecurity Act. Within this legislation, Section 405(d), “Aligning Health Care Industry Security Approaches,” provides guidance for the U.S. healthcare industry. HHS convened the 405(d) Task Group in May 2017 with a mission to develop a voluntary set of practices that is now available to everyone and addresses three main goals:

  1. To provide a cost-effective process to reduce cybersecurity risk across varying sizes of healthcare organizations;
  2. To support voluntary adoption and implementation; and
  3. To ensure on an ongoing basis that content is actionable, practical and relevant to healthcare stakeholders of every size and resource level.

The Task Group’s approach to the development of the HICP included:

  • Examining current cybersecurity threats affecting the Healthcare and Public Health (HPH) sector;
  • Identifying specific weaknesses that make organizations more vulnerable to the threats; and
  • Providing selected practices that cybersecurity experts rank as the most effective to mitigate the threats.

The Task Group leveraged the HPH Sector, the Critical Infrastructure Security and Resilience Public-Private Partnership, the HPH Sector Government Coordinating Council, the Department of Homeland Security, and the National Institute of Standards and Technology (NIST) to plan, develop and draft the HICP. The Task Group is comprised of a diverse group of more than 150 healthcare cybersecurity and privacy experts, healthcare practitioners, health information technology (IT) organizations, and other subject matter experts from the public and private sectors.

The Task Group determined that it was important to tailor the HICP based on a healthcare organization’s size—specifically, small, medium or large. Organizations of different sizes have unique cybersecurity-related requirements, strengths and vulnerabilities; therefore, to be effective, it was critical to tailor the HICP based on the size of the organization. The Task Group also leveraged the NIST Cybersecurity Framework (CSF) to build the HICP.

What the Task Group Identified

The Task Group identified five threats that have the greatest impact in the healthcare sector and ten practices that can help mitigate those threats. The technical volumes within the HICP contain the details and implementation guidelines for these ten practices.

The five threats most prevalent in the healthcare industry are:

  1. Email phishing attacks
  2. Ransomware attacks
  3. Loss or theft of equipment and data
  4. Insider, accidental or intentional data loss
  5. Attacks against connected medical devices that may affect patient safety

The Task Group identified the following practices for mitigating these threats:

  1. Email protection systems
  2. Endpoint protection systems
  3. Access management
  4. Data protection and loss prevention
  5. Asset management
  6. Network management
  7. Vulnerability management
  8. Incident response procedures
  9. Medical device security
  10.  Cybersecurity policies

The Task Group Deliverables

In December 2018, the HICP was published, consisting of a number of documents that offer comprehensive guidance for best practices in the healthcare industry.

  • Main Document. The main document provides a project overview and includes a call to action for the healthcare industry, especially executive decision makers, to make cybersecurity a priority to protect patients’ safety. The document outlines the five common threats facing the healthcare industry, the ten practices that can help mitigate the five threats and an overview of the HICP. More information can be obtained here.
  • Technical Volumes 1 and 2: Cybersecurity Practices for Small, Medium and Large Health Care Organizations. These technical volumes, written for IT and security professionals, focus on how the ten HICP and sub-practices apply to the healthcare organization. Volume 1 is intended for small organizations and Volume 2 for medium and large organizations. For more information on the technical volumes, see volume 1 here and volume 2 here.
  • The Resources and Templates Document. This document provides additional resources and references to supplement the main document and technical volumes. More information can be obtained here.

How to Approach the HICP

While implementation of the HICP will vary by organization size, complexity and type, there are basic guidelines on how to begin with the HICP:

  1. Read and understand the documentation listed above.
  2. Identify internal and external stakeholders within your organization that will be involved in the assessment process. At a minimum, you should include representatives from legal, privacy, IT (including information security, network, applications, database, etc.), physical security and other relevant subject matter experts from your organization.
  3. Determine the size of your organization. Refer to Table 1 in the main document to identify which technical volume to use.
  4. Assess your organization against the applicable technical volume. The technical volumes contain ten effective practices to mitigate the five threats within the healthcare sector. Each of the ten practices has a set of sub-practices that vary depending on the size of the organization. These practices are mapped against the NIST CSF functions: identify, protect, detect, respond and recover. The Resources and Templates document has basic information on threat assessment. It is recommended that organizations review NIST Special Publication 800-30 on how to conduct a thorough threat assessment. Performing a threat assessment will help determine the priority and criticality of the risk. The Resources and Templates document also provides the following simple assessment methodology model that may be followed:

    Step 1: Enumerate and prioritize threats

    Step 2: Review practices tailored to mitigate threats

    Step 3: Determine gaps compared to practices

    Step 4: Identify improvement opportunity and implement

    Step 5: Repeat for next threats

HHS is in the process of developing a risk assessment toolkit to assist organizations with prioritizing their cyber threats and creating their own action plans using the assessment methodology outlined in the Resources and Templates volume. Refer to the links under the section “Deliverables” for more information.

Why It Matters

The increase in cyber threats coupled with the level of sophistication used by cyber criminals against the healthcare sector is a huge concern. These attacks threaten not only the security of the organization but also the health and safety of patients. An attack can disrupt a healthcare provider’s ability to provide lifesaving services to patients. Disruption of medical care and the undermining of patient safety are the largest threats in the healthcare industry. However, other factors, such as the cost of a data breach, should also be considered. According to a study by Ponemon Global, 2018 Cost of Data Breach, the average per capita cost for a healthcare data breach is $408, the highest in any industry. The high cost is due to the healthcare sector being highly regulated. Assessing your organization against the HICP is an important step in protecting your organization and patients against the five common attack vectors. These common attack vectors were examined and vetted by the Task Force as the most prevalent in the healthcare industry. We advise our clients to assess their environment and implement the HICP to mitigate risks, protect patient safety and limit the damage caused by a data breach.