The Department of Health and Human Services and the healthcare industry have issued cybersecurity “best practices” that focus on baseline measures such as protecting emails, limiting system access and developing incident response plans – based on a “pre-testing” process intended to assess the effectiveness of the security guidelines.
“For the health sector, cyberattacks are especially concerning because these attacks can directly threaten not just the security of our systems and information but also the health and safety of American patients,” HHS Deputy Secretary Eric Hargan said in announcing the guidelines released by the Health Sector Coordinating Council. “We are under constant cyberattack in the health sector, and no organization can escape that reality,” Hargan warned in touting the new guidelines.
“This publication is the result of the collaborative work HHS and its industry partners embarked on more than a year ago – namely, the development of practical, understandable, implementable, industry-led, and consensus-based voluntary cybersecurity guidelines to cost-effectively reduce cybersecurity risks for health care organizations of varying sizes, ranging from local clinics, regional hospital systems, to large health care systems,” according to Hargan in his introduction letter to the 34-page document.
Development of the guidelines was required by Cybersecurity Act of 2015 section 405(d) and builds on the recommendations of an HHS cybersecurity task force that released its report in June 2017.
The latest cybersecurity guidelines were issued as a four-volume set, with the second volume focused on assisting small healthcare organizations in defending against cyber attacks.
According to the document: “58% of malware attack victims are small businesses; In 2017, cyber-attacks cost small and medium sized businesses an average of $2.2 million; 60% of small businesses go out of business within six months of an attack; [and] 90% of small businesses do not use any data protection at all for company and customer information.”
Also, the guidelines were subjected to “pre-testing sessions” with healthcare professionals from around the country to determine the usefulness of the security measures being recommended.
“Pre-testing of the 405(d) document consisted of facilitated focus group discussions assessing the practicality, usability, and what impact this document can have,” according to a summary presentation of the guidelines by the HHS Chief Information Officer and distributed by the Health Sector Coordinating Council. The sessions were conducted “both in-person and virtual” with healthcare and public health CIOs and CISOs, and other medical professionals.
The 123 participants in the pre-testing sessions represented five regions of the country: the Northeast, Southeast, Midwest, Northwest and Southwest regions, according to the HHS CIO and sector council. More than a third of the participants are identified as “information security professionals,” with others described as including IT and medical device professionals as well as hospital administrators.
The guidelines offer 10 “practices” for reducing cybersecurity risks which are listed as: “email protection systems; endpoint protection systems; access management; data protection and loss prevention; asset management; network management; vulnerability management; incident response; medical device security; [and] cybersecurity policies.”
The guidelines identify specific threats such as ransomware and connected medical devices, and offer “practices to consider” in addressing listed “vulnerabilities.”
“Health care organizations must implement safeguards to mitigate the impact of the threats discussed in the previous section,” according to the main document of the four-volume set of guidelines. “The breadth and complexity of these threats complicates mitigation. This is not simply an IT problem. When threats and vulnerabilities are identified and assessed for potential impact, the most effective combination of safeguards and cybersecurity practices must be determined based on the organization’s particular needs, exposures, resources, and capabilities.”
The release of the guidelines clears the way for an outreach and education campaign by HHS and industry to encourage widespread use of the guidelines throughout the upcoming year. “Informing and educating” and “moving” to an updated version “2.0” of the guidelines are listed as “next steps” for 2019 by the HHS CIO and the health sector council in the guidelines summary.
“The publication marks the culmination of a two-year effort that brought together more than 150 cybersecurity and healthcare experts from industry and the government,” said the Health Sector Coordinating Council in announcing the guidelines. “The consensus-based document was developed and released under the auspices of the HSCC Joint Cybersecurity Working Group, a public-private partnership to enhance healthcare and public health cyber and critical infrastructure security and resilience.” – Rick Weber
Is your health organization looking to innovate? Then this blog is a must read for you: How to Jumpstart Digital Transformation in Healthcare.