On Friday, December 28, 2018, the Department of Health and Human Services (HHS) released the "Health Industry Cybersecurity Practices (HICP): Managing Threats and Protecting Patients" publication. The four-volume publication aims to provide voluntary cybersecurity practices to healthcare organizations of all types and sizes. This document is a valuable resource as health care providers assess and revise their 2019 HITECH required Security Risk Analysis.
Cybersecurity and an updated Security Risk Analysis are fluid and ongoing efforts rather than a one and done calendar year exercise. The HHS Cybersecurity Practices offer valuable insight into the types of threats and protections associated with the physical, technical and administrative safeguards that comprise the gravamen of a complete Security Risk Analysis. It also is a good idea to review the breadth and value of your Cybersecurity insurance. Does it include payment for a forensic team? Does it include payment for post-breach marketing designed to salvage the reputational harm from a breach? Most importantly, does it adequately address the central point of Cyberinsurance: losses due to a data breach? Finally, how will your organization create and preserve privileged communications in the immediate aftermath and chaos of a breach--a critical consideration given the probability of post-breach lawsuits and discovery. The actual breach event is a bad time to initially respond to the above questions. Hoping never to have a mass breach is not a plan. Address these issues now to be that example exalted by Napoleon: the soldier who does the average thing while chaos reigns is a genius.
The main document of the HHS publication explores the five most relevant and current threats to the health care industry.
- E-mail phishing attack
- Ransomware attack
- Loss or theft of equipment or data
- Insider, accidental or intentional data loss
- Attacks against connected medical devices that may affect patient safety
It also recommends 10 Cybersecurity Practices to help mitigate these threats.
- E-mail protection systems
- Endpoint protection systems
- Access management
- Data protection and loss prevention
- Asset management
- Network management
- Vulnerability management
- Incident response
- Medical device security
- Cybersecurity policies
The publication also includes two technical volumes geared for IT and IT security professionals. Technical Volume 1 focuses on cybersecurity practices for small healthcare organizations, while Technical Volume 2 focuses on practices for medium and large healthcare organizations. The last volume provides resources and templates that organizations can leverage to assess their own cybersecurity posture as well develop policies and procedures.
For more information about cybersecurity threats and practices to mitigate these threats, download a copy of Health Industry Cybersecurity Practices (HICP): Managing Threats and Protecting Patients at https://www.phe.gov/Preparedness/planning/405d/Documents/HICP-Main-508.pdf.