The HHS Healthcare & Public Health Sector Coordinating Councils, recently released Health Industry Cybersecurity Practices: Managing Threats and Protecting Patients (HICP).[1] A four-part publication designed to raise awareness among executives, administrators, and healthcare providers regardless of the size of the organization.[2]  The HICP consists of: Main Document, Technical Volume 1, Technical Volume 2, and Resources and Templates volume.

The core goals of HICP are: 

  1. Cost-effectively reduce cybersecurity risks for a range of healthcare organizations;
  2. Support the voluntary adoption and implementation of its recommendations; and
  3. Ensure, on an ongoing basis that content is actionable, practical, and relevant to health care stakeholders of every size and resource level.[3]

The publication provides a detailed description of the five most impactful cybersecurity threats on a healthcare organization and describes practices that can be used to mitigate these threats.

  1. E-mail phishing attacks;[4]
  2. Ransomware attacks;[5]
  3. Loss or theft of equipment or data;[6]
  4. Insider, accidental or intentional data loss;[7] and
  5. Attacks against connected medical devices that may affect patient safety.[8]

The Technical Volumes provide IT and security professionals recommendations that are tailored to health care organizations.[9]They contain the general Practices and specific sub-practices for small organizations (Volume 1), and medium to large organizations (Volume 2). Additionally, each sub-practice is mapped to the NIST Cybersecurity Framework.  The ten Practices include:

  1. E-mail protection system;
  2. Endpoint protection system;
  3. Access management;
  4. Data protection and loss prevention;
  5. Asset management;
  6. Network management;
  7. Vulnerability management;
  8. Incident response;
  9. Medical device security; and
  10. Cybersecurity policies.[10]

The final part of the HICP, Resources and Templates, contains a table of the NIST Framework Mapping, a tool to assist organizations in selecting and prioritizing Practices of most relevance, an appendix of additional resources, and several templates that include access control procedures, incident reports, privacy and security policies “At-A-Glance,” and do’s and don’ts for secure exchange from the Trusted Exchange Framework Common Agreement.[11]   

The release of the HICP shows that HHS is working to make cybersecurity less complex, less expensive, accountable at all levels of the organization, more accessible to small organizations, and something as commonplace in healthcare as hand washing.  The HICP highlights, “1,309 records were inappropriately accessed by a single employee between 2016 and 2017.”[12] In today’s environment, a single employee’s actions can have strategic consequences for a healthcare organization, so an effort to simplify and popularize cybersecurity in health care is a step in the right direction.

 

[1] U.S. Dep’t of Health & Human Servs., Healthcare & Public Health Sector Coordinating Councils, Health Industry Cybersecurity Practices: Managing Threats and Protecting Patients (Dec. 2018), https://www.phe.gov/Preparedness/planning/405d/Documents/HICP-Main-508.pdf.

[2] See U.S. Dep’t of Health & Human Servs., Health industry Cybersecurity Practices: Managing Threats and Protecting Patients, Public Health Emergency (Jan. 4, 2019), https://www.phe.gov/Preparedness/planning/405d/Pages/default.aspx.

[3] U.S. Dep’t of Health & Human Servs., supra note 1, at 6.

[4] Id. at 16-17.

[5] Id. at 18-19.

[6] Id. at 20-21.

[7] Id. at 22-23.

[8] Id. at 24-25.

[9] Id. at 6.

[10] Id. at 6; see U.S. Dep’t of Health & Human Servs., Healthcare & Public Health Sector Coordinating Councils, Health Industry Cybersecurity Practices: Technical Volume 1: Cybersecurity Practices for Small Health Care Organizations (Dec. 2018), https://www.phe.gov/Preparedness/planning/405d/Documents/tech-vol1-508.pdf; U.S. Dep’t of Health & Human Servs., Healthcare & Public Health Sector Coordinating Councils, Health Industry Cybersecurity Practices: Technical Volume 2: Cybersecurity Practices for Medium and Large Health Care Organizations (Dec. 2018), https://www.phe.gov/Preparedness/planning/405d/Documents/tech-vol2-508.pdf.

[11] Dep’t of Health & Human Servs., Healthcare & Public Health Sector Coordinating Councils, Health Industry Cybersecurity Practices: Recourses and Templates (Dec. 2018), https://www.phe.gov/Preparedness/planning/405d/Documents/resources-templates-508.pdf.

[12] U.S. Dep’t of Health & Human Servs., supra note 1, at 12.