Resource Report → Health Industry Cybersecurity Practices: Managing Threats and Protecting Patients
The Department of Health and Human Services aims to have more healthcare organizations well-prepared to prevent data breaches in their latest 34-page cybersecurity framework report.
In early January 2019, The United States Department of Health and Human Services (HHS) released the Health Industry Cybersecurity Practices: Managing Threats and Protecting Patients (HICP). This recently-published guide promotes insight to why the healthcare industry must strategize for more modern policies and procedures when it comes to protecting patient information. The report utilizes perspective and data from more than 150 healthcare and cybersecurity experts from the Health Sector Coordinating Council. As a result of this collaboration between security and healthcare professionals, we now have a detailed report of the most common challenges in healthcare security, and how we can address these issues in the future.
The healthcare industry is even more susceptible to cyber attacks because of the inherit value of the stolen data from such organizations. Becker’s Health IT & CIO Report concludes that the average data breach cost per record is around $408  (twice that of the financial, technology, education, and commerce industries). As a result, healthcare providers of all sizes need to continue improving and create dynamic modifications to their security framework. This report builds on the existing National Institute of Standards and Technology (NIST) Cybersecurity Framework which highlights 5 functions of the data security lifecycle: Identify, Protect, Detect, Respond, and Recover.
The document sets to accomplish three core goals:
- Cost-effectively reduce cybersecurity risks for a range of healthcare organizations
- Support the voluntary adoption and implementation of its recommendations
- Ensure, on an ongoing basis that content is actionable, practical, and relevant to health care stakeholders of every size and resource level
Summary of HHS Publication
To provide a more outlined approach to creating a foundational security framework, HHS experts organized the informative piece into separate categories. The Main Document aims to discover the overarching themes of security issues facing the healthcare sector. Technical Volume 1 examines Cybersecurity Practices for small healthcare organizations; Technical Volume 2 highlights security procedures for medium and large healthcare organizations with existing IT and security professionals as part of their workforce. Lastly, HHS delivers The Resources and and Templates Volume. Working in tandem, these appendices give an impressive synopsis of how your organization can get started today with better security processes.
Current Threat Scenarios Facing the Healthcare Industry
The HICP highlights several major security breach tactics and how your organization can better prepare to defend against these attacks. Some examples of the threat-risk and necessary framework include:
- E-mail Phishing Attack
- Security standards for employee training, establishing multi-factored authentication policies, and tools for preventing malware-infused emails and communication channels, etc.
- Ransomware Attack
- Importance of backing up data regularly, patching outdated software with modern updates, test for system vulnerabilities, etc.
- Loss or Theft of Equipment or Data
- Regularly record inventory of assets, highlights importance of physical security practices, benefits of data encryption, etc
- Threat: Insider, Accidental or Intentional Data Loss
- Adequately log and audit employee access to patient’s data, monitor physical access controls, training for social engineering and other credential manipulation techniques, etc.
- Threat: Attacks Against Connected Medical Devices That May Affect Patient Safety
- Medical devices should be properly secured along with IT equipment used in conjunction with these systems, updating security for legacy medical devices, etc.
- E-mail Protection Systems
- Endpoint Protection Systems
- Access Management
- Network Management
- Vulnerability Management
- Incident Response
- Medical Device Security
- Cybersecurity Policies
Why is the HHS practices report important?
The Health Industry Cybersecurity Practices: Managing Threats and Protecting Patients doesn’t aim to produce groundbreaking new coverage of threats attacking healthcare organizations. Instead, the focus of the piece is to provide a more contextual and a practical framework to those organizations that don’t have a large security budget and are exposed to these risks. To quote Erik C. Decker, the Chairman of the Board (Association for Executives in Health Care Information Security) “The Task Group determined that it was not feasible to address every cybersecurity challenge across the large and complex U.S. health care industry in a single document. The Task Group therefore made the decision to focus on the most impactful threats, with the goal of significantly moving the cybersecurity needle”. The report is candid in that it reveals cybersecurity is a continuously evolving threat, requiring indefinite attention and resourceful strategy to keep patient data protected and secure. These policies should be consistently re-evaluated to meet the standards and threat landscape facing healthcare organizations in the future.
Proven Data is a supporter of this new publication that aims to contribute more resources and awareness around the protection of healthcare data and records. As we enter a new year, healthcare organizations should make a point to improve their security foundation which can help improve their data loss prevention policies. Cyber crime will continue to evolve, and so should our defense strategy for keeping your patient data and information secure.
You can check out the official Health Industry Cybersecurity Practices: Managing Threats and Protecting Patients from HHS here.