HHS Publishes Guide to Cybersecurity Best Practices

With the aim of helping healthcare entities of all sizes improve their cybersecurity, the Department of Health and Human Services has issued a four-volume publication of voluntary best practices.

The authors of the publication note that the document “does not create new frameworks, rewrite specifications, or ‘reinvent the wheel.’ We felt that the best approach to ‘moving the cybersecurity needle’ was to leverage the NIST Cybersecurity Framework, introducing the framework’s terms to start educating health sector professionals on an important and generally accepted language of cybersecurity and answering the prevailing question: ‘Where do I start, and how do I adopt certain cybersecurity practices?'”

The goal of the guidance is to aid healthcare entities – regardless of their current level of cyber sophistication – in bolstering their preparedness to deal with the ever-evolving cyber threat landscape.

“I spend a lot of time in healthcare providers that run the gamut in size and security maturity and still the top two questions are either: ‘Where do I start?’ or ‘What do I do next, now that this part is done,'” says former healthcare CIO David Finn, an executive vice president at security consulting firm CynergisTek.

“The days of small providers not knowing what to do or large providers thinking they’ve done all they need to do are over,” adds Finn, who was a member of a federal cyber task force that also contributed to the document .

HHS notes in a statement that the “Health Industry Cybersecurity Practices: Managing Threats and Protecting Patients” document is the culmination of a two-year effort involving more than 150 cybersecurity and healthcare experts from industry and the government under the Healthcare and Public Health Sector Critical Infrastructure Security and Resilience Public-Private Partnership.

The creation of the publication was in response to a mandate under the Cybersecurity Information Sharing Act of 2015 to develop “practical cybersecurity guidelines to cost-effectively reduce cybersecurity risks for the healthcare industry,” HHS notes.

Top Issues

HHS Deputy Secretary Eric Hargan notes in the document that experts contributing to the guidelines determined that it was “not feasible” to address every cybersecurity challenge across the large and complex U.S. healthcare industry.

“Therefore, it focused on the five most prevalent cybersecurity threats and the 10 cybersecurity practices to significantly move the needle for a broad range of organizations within our sector,” Hargan says.

Erik Decker, University of Chicago Medicine chief security and privacy officer – who co-led the effort to create the new document as a member of Health Sector Coordinating Council – tells Information Security Media Group that he hopes the new HICP document will help improve cybersecurity across the healthcare industry. “It provides practical, actionable and measurable cybersecurity steps to help mitigate notable cyber threats our industry faces,” he says.

The document “was written to be a ‘how to’ guide on helping mitigate salient cybersecurity threats our industry faces while also leveraging all the existing frameworks, standards and controls already in place,” says Decker, who is also advisory board chairman of the Association for Executives in Healthcare Information Security, a CISO group within the College of Healthcare Information Management Executives.

“We purposefully did not want to create a new framework or set of controls, but rather augment what already exists. It maps back to other NIST Special Publications as well as HIPAA and other regulatory guidance from the Centers of Medicare and Medicaid Services, the Office for Civil Rights, and the Food and Drug Administration. It’s a pretty comprehensive index that will help organizations jump right in without having to first be scholars of all off the great cyber guidance that exists already.”

‘Best Thinking’

The document’s guidelines “reflect the best thinking of more than 150 experts from the healthcare and security industries and government about how hospital systems and other healthcare organization should manage enterprise cyber risk,” Greg Garcia, executive director of cybersecurity for the Healthcare and Public Health Sector Coordinating Council, tells ISMG.

“The practices, mapped to the NIST Cybersecurity Framework, are scalable and flexible, and we believe that if every healthcare organization adopts these practices over time, we will see uniform improvement in our collective cyber preparedness and resilience,” Garcia says.

The practices spelled out in the guidance are tiered for small, midsize and large organizations, he notes. “But it is clear that small community hospitals that have the least expertise and resources to manage cybersecurity even at the most fundamental level can look to [the guidelines] as the place to start, in language that is tailored to the unique needs of healthcare and patient safety.”

Four Volumes

The publication’s four volumes include a main document that discusses the current cybersecurity threats facing the healthcare industry. The threats highlighted include email phishing attacks; ransomware attack; loss or theft of equipment or data; insider, accidental or intentional data loss; and attacks against connected medical devices that may affect patient safety.

That first volume sets forth a call to action for the healthcare industry, especially executive decision makers, with the goal of raising general awareness of the issue, the document notes.

The publication also includes two technical volumes – the first for smaller healthcare organizations and the second for midsize to large healthcare organizations.

The technical volumes are organized according to the top 10 most effective cybersecurity practices, as identified by the HHS Cyber Task Force, which in June 2017 issued a report with more than a 100 recommendations for how the healthcare sector can improve its cybersecurity posture.

Those 10 top best practices spotlighted in the new HHS document include the use of:

  • E-mail protection systems, including multifactor authentication for remote email access;
  • Endpoint protection systems, including micro-segmentation and virtualization strategies;
  • Access management, such as federated identity management
  • Data protection and loss prevention, including mapping of data flows;
  • Asset management, such as integration with network access controls;
  • Network management, including anomalous network monitoring and analytics;
  • Vulnerability management, such as penetration testing;
  • Incident response, such as deploying deception technologies;
  • Medical device security, including vulnerabilities management;
  • Cybersecurity policies, such as defining the organization’s position on the use of personal devices or bring-your-own-device.

The fourth volume is an appendix that provides resources and templates that organizations can leverage to assess their cybersecurity posture, as well to develop policies and procedures.

Top Tips

So, what are the some of the most helpful tips offered by the publication?

“One area that stands out is its attention to supply chain and vendor management – how to procure equipment and technology from vendors with cybersecurity requirements in mind,” Garcia notes.

Finn, a member of the HHS cyber task force, has high hopes for the new publication.

The four-volume document “will absolutely help improve cybersecurity in the health industry,” he predicts. “If the HHS Task Force report provided an overview and high-level plan to start the industry moving, this series provides the vehicle, gassed up and ready to roll,” he says.

“The game-changer – or game-starter – is this: This document sets forth a common set of voluntary, consensus-based, and industry-led guidelines, best practices, methodologies, procedures and processes to achieve three core goals,” Finn says.

Those goals include cost-effectively reducing cyber risks for a range of healthcare organizations; supporting the adoption and implementation of document’s recommendations; and ensuring on an ongoing basis that the document’s content is actionable, practical and relevant to healthcare stakeholders of every size and resource level.

Dale Nordenberg, M.D., executive director at the Medical Device Innovation Safety & Security consortium, says he’s also hopeful that the document can assist healthcare sector entities.

“Overall it’s pretty high level resource,” says Nordenberg, who worked on the document as a member of the health sector coordinating council. “The document is unique because its target audience is the front line of healthcare delivery and its emphasis on patient protection. The breadth and depth of the technical content is tuned for optimal effect of healthcare systems at the point of care,” he says. “Maybe it will help some front-line people see things in new light and help them advance.”

Looking Ahead

In addition to this publication, Garcia notes that HHS and the health sector coordinating council “will soon be releasing medical technology and health IT product security development guidelines that will cross-reference with the newly released HICP guidelines.” (See New Effort to Draft Medical Device Cybersecurity Guidance).

“The HICP and medical tech security guidelines express what hospital systems should expect from their technology providers and what medical technology companies will hold themselves accountable for as a commitment to their customers and patient safety,” Garcia notes.

Marianne Kolbasuk McGee (HealthInfoSec) • January 2, 2019