HHS and HSSC Release New Cybersecurity Practices for the Health Care Industry
On December 28, 2018, the Department of Health and Human Services (HHS), in partnership with the Health Sector Coordinating Council (HSSC), published the “Health Industry Cybersecurity Practices: Managing Threats and Protecting Patients” (HICP Publication), which is a four-volume publication designed to provide voluntary cybersecurity practices to health care organizations of all types and sizes, ranging from local clinics to large health care systems. The HICP Publication was in response to a mandate set forth by the Cybersecurity Act of 2015, Section 405(d), to develop practical cybersecurity guidelines to cost-effectively reduce cybersecurity risks for the health care industry. HHS and HSSC led a task group, comprised of cybersecurity industry leaders, to develop the HICP Publication. All health care organizations should review and consider the implementation of the recommendations set forth in the HICP Publication.
The main document of the HICP Publication explores the five most relevant and current threats to the health care industry. It also recommends 10 cybersecurity practices to help mitigate these threats. The main document presents real-life events and statistics that demonstrate the financial and patient care impacts of cyber incidents. Moreover, the HICP Publication also lays out a call to action for all industry stakeholders that protective and preventive measure must be taken now.
HHS notes the process of implementing cybersecurity practices is not a one-size fits all approach. The complexity of an organization’s cybersecurity needs will increase or decrease based upon that organization’s specific characteristics and the nature of products and/or services provided. Therefore, the HICP Publication also includes two technical volumes geared for IT and IT security professionals based upon the size of the health care organization. Technical Volume 1 focuses on cybersecurity practices for small health care organizations, while Technical Volume 2 focuses on practices for medium and large health care organizations. The last volume of the HICP Publication provides resources and templates organizations can leverage to assess their cybersecurity posture, as well as develop policies and procedures.
Five Most Current Cybersecurity Threats to the Industry
The main document of the HICP Publication classifies the following as the most current cybersecurity threats to the health care industry and provides examples of cybersecurity practices that can minimize these threats. The HICP Publication examines the vulnerabilities, impact and practices to consider regarding each threat.
An e-mail phishing attack is an attempt to trick an e-mail recipient into giving out information using e-mail. It occurs when an attacker, posing as a trusted party (such as a friend, co-worker, or business partner), sends a phishing e-mail that includes an active link or file (often a picture or graphic). When the e-mail recipient opens the link, the recipient is taken to a website that may solicit sensitive information, proactively infect the computer, or compromise the organization’s entire network. Accessing the link or file may result in malicious software being downloaded or access being provided to information stored on the recipient’s computer or other computers within the organization’s network.
According to the HICP Publication, the lack of IT resources for managing suspicious e-mails, lack of software scanning e-mails for malicious content or bad links, and lack of e-mail detection software for testing malicious content, or e-mail sender and domain validation tools, are vulnerabilities that can expose a health care organization to the phishing threat. E-mail phishing attacks can adversely impact a health care organization by causing a loss of reputation in the community, result in stolen access credentials, create an erosion of trust or brand reputation, and potentially impact the ability to provide timely and quality patient care, which could lead to patient safety concerns.
The HICP Publication recommends health care organizations consider adopting the following practices to protect against e-mail phishing attacks:
HHS defines ransomware as “a type of malware (malicious software) distinct from other malware; its defining characteristic is that it attempts to deny access to a user’s data, usually by encrypting the data with a key known only to the hacker who deployed the malware, until a ransom is paid.” Most ransomware attacks are sent in phishing campaign e-mails asking the recipient to either open an attachment or click on an embedded link. After a user’s data is encrypted, the ransomware will direct the user to pay the ransomware to the hacker, typically in cryptocurrency, in order to receive a decryption key to release the data. Paying the ransom does not guarantee the hacker will unencrypt or unlock the stolen or locked data.
According to the HICP Publication, the lack of system backup, lack of anti-phishing capabilities, unpatched software, lack of anti-malware detection and remediation tools, lack of testing and proven data backup and restoration, and lack of network security controls, such as segmentation and access control, are vulnerabilities that may result in an organization’s exposure to ransomware. Ransomware attacks can adversely impact a health care organization by resulting in partial or complete clinical and service disruption, patient care and safety concerns, and expenses for recovery from a ransomware attack. Moreover, it is important to note the presence of ransomware (or any malware) on a covered entity’s or business associate’s computer system is a security incident under the HIPAA Security Rule, and the covered entity or business associate must initiate its security response reporting procedures.
The HICP Publication recommends health care organizations consider adopting the following practices to protect against ransomware attacks:
The HICP Publication notes that every day, mobile devices, such as laptops, tablets, smartphones, and USB/thumb drives, are lost or stolen and may end up in the hands of hackers. HHS notes from January 1, 2018, to August 31, 2018, the Office for Civil Rights received reports of 192 theft cases affecting 2,041,668 individuals. When lost equipment is not appropriately safeguarded or password protected, the loss may result in unauthorized or illegal access, dissemination, and use of sensitive data.
According to the HICP Publication, vulnerabilities that can lead to the loss or theft of equipment or data include:
Loss or theft of equipment or data may adversely impact a health care organization by resulting in inappropriate access to or loss of sensitive information, including proprietary or confidential information or intellectual property. Moreover, theft or loss of unencrypted PHI or PII may occur, which could result in a data breach requiring notification to impacted individuals, regulatory agencies, and media outlets. Additionally, the health care organization’s reputation could be severely damaged.
The HICP Publication recommends health care organizations consider adopting the following practices to protect against the loss or theft of equipment or data:
Insider threats exist within every health care organization when employees, contractors, or other users access the organization’s technology infrastructure, network, or databases. HHS has placed insider threats into two groups: accidental insider threats and intentional insider threats. An accidental insider threat is unintentional loss caused by honest mistakes, like being tricked, procedural errors, or a degree of negligence. For example, being the victim of an e-mail phishing attack is an accidental insider threat. An intentional insider threat is malicious loss or theft caused by an employee, contractor, or other user of the organization’s technology infrastructure, network, or databases, with an objective of personal gain or inflicting harm to the organization or another individual.
According to the HICP Publication, health care organizations are vulnerable to insider data loss when:
Insider data loss can result in reportable data breaches and incidents when the accidental loss of PHI or PII occurs through e-mail and unencrypted mobile storage. Moreover, reportable incidents can occur when employees inappropriately view patient information. Financial loss can occur because of insiders who are socially engineered into not following proper procedures and due to employees who give access to banking accounts and routing numbers after falling victim to phishing e-mail attacks disguised as bank communications.
The HICP Publication recommends health care organizations consider adopting the following practices to prevent accidental insider or intentional insider data loss:
The Food and Drug Administration (FDA) defines a medical device as “an instrument, apparatus, implement, machine, contrivance, implant, in vitro reagent, or other similar or related article, including a component part or accessory which is recognized in the official National Formulary, or the United States Pharmacopoeia, or any supplement to them; intended for use in the diagnosis of disease or other conditions, or in the cure, mitigation, treatment, or prevention of disease.” The HICP Publication notes a hacker may attempt to gain access to a health care provider’s network to take control of a connected medical device to put patients at risk.
HHS notes connected medical devices can be vulnerable if software patches are not implemented promptly, including regular and routine commercial system patches to maintain medical devices, or when legacy equipment is used that is outdated and lacks current functionality. Moreover, according to HHS, connected medical devices, unlike IT equipment, cannot be monitored by an organization’s intrusion detection system (IDS). As a result, the safety of patients and protection of data integrity are dependent on identifying and understanding the threats and threat scenarios. However, it is the challenge of identifying and addressing vulnerabilities in medical devices that augments the risk of threats compared with managed IT products. For medical devices, the cybersecurity profile information is not readily available at health care organizations, making cybersecurity optimization more challenging. This may translate into missed opportunities to identify and address vulnerabilities, increasing the likelihood for threats to result in adverse effects.
Compromised connected medical devices have broad implications to health care organizations, because medical devices may be entirely unavailable or will not function properly, compromising patient safety.
The HICP Publication recommends health care organizations consider adopting the following practices to safeguard from attacks against connected medical devices:
10 Cybersecurity Practices to Minimize Threats
The HICP Publication includes two volumes that provide specific cybersecurity practices geared for IT security professionals split between a volume for small health care organizations and medium to large health care organizations (HICP Technical Volumes). Among other criteria, the HICP Publication classifies a “small health care organization” as an organization that has one to 10 physicians, one or two health information exchange partners, and one practice or care site. Medium to large health care organizations have 26 to more than 500 providers, include multiple sites in a very extended geographic area, and have a significant number of health information exchange partners. Both HICP Technical Volumes provide general cybersecurity practices to address the five most relevant cybersecurity threats to health care organizations. Each general cybersecurity practice is then divided among specific sub-practices that address the technical components needed to implement the cybersecurity practices. HICP has recommended a total of 88 specific sub-practices for organizations to consider in their cybersecurity framework.
Health care organizations are often targeted through e-mail attacks. As a result the HICP Technical Volumes recommend the following practices be adopted to protect e-mail systems. E-mail systems should be configured to ensure controls are in place to enhance security posture. Small health care organizations should check with their e-mail service provider to ensure controls are in place or enabled. The HICP Technical Volumes recommend “free” or “consumer” e-mail systems be avoided, as such systems are not approved to store, process, or transmit PHI. Alternatively, it is suggested health care organizations contract with a service provider that caters to the health care sector. Workforce education and training programs that include sections on phishing and recognition of phishing techniques should be implemented.
The HICP Technical Volumes recommend larger health care organizations consider advanced threat protection services that provide protection against phishing attacks and malware, implement digital signatures that allow the sender to cryptographically sign and verify e-mail messages, and use data analytics to determine the most frequently targeted users in an organization. Additionally, larger health care organizations should have more robust education programs that include ongoing simulated phishing campaigns, ongoing and targeted training, newsletters, and recurring departmental meetings regarding information security.
The HICP Technical Volumes recommend endpoints such as desktops, laptops, mobile devices and other connected hardware devices (e.g., printers and medical equipment) be protected. Smaller health care organizations should implement basic endpoint controls, such as:
Larger health care organizations should take more precautions, including implementing basic endpoint controls such as:
The HICP Technical Volumes recommend health care organizations of all sizes clearly identify all users and maintain audit trails that monitor each user’s access to data, applications, systems, and endpoints. According to the HICP Technical Volumes, organizations of all sizes should implement an Identity and Access Management (IAM) program, which is a program that encompasses the processes, people, technologies, and practices relating to granting, revoking, and managing user access. The HICP Technical Volumes note that given the complexities associated with health care environments, IAM models are critical for limiting the security vulnerabilities that can expose organizations. Basic access authentication methods rely on usernames and passwords, a model proven by the success of phishing and hacking attacks to be weak. The HICP Technical Volumes recommend stronger authentication methods, such as passphrases, and limiting the rate at which authentication attempts can occur to severely restrict the ability of automated systems to brute force the password.
The HICP Technical Volumes recommend all health care organizations establish a data classification policy that categorizes data (e.g., Highly Sensitive, Sensitive, Internal Use, or Public Use) and identify the types of records relevant to each category. For example, the “Sensitive Data “ category should include PHI, social security numbers (SSNs), credit card numbers, and other information that must comply with regulations, may be used to commit fraud, or may damage the organization’s reputation. After the data has been classified, procedures can be written that describe how to use these data based on their classification. The HICP Technical Volumes recommend the health care organization’s workforce be trained to comply with organizational policies and at a minimum, annual training be provided regarding the use of encryption and PHI transmission restrictions.
The HICP Technical Volumes suggest health care organizations with effective cybersecurity practices manage IT assets using processes referred to collectively as IT asset management (ITAM). It is recommended ITAM processes be implemented for all endpoints, servers, and networking equipment for loss prevention. ITAM processes enable organizations to understand their devices and the best options to secure them. The HICP Technical Volume notes while it can be difficult to implement and sustain ITAM processes, such processes should be part of daily IT operations and encompass the lifecycle of each IT asset, including procurement, deployment, maintenance, and decommissioning (i.e., replacement or disposal) of the device.
The HICP Technical Volumes state an effective network management strategy includes the deployment of firewalls to enable proper access inside and outside of the organization. Firewall technology is far more advanced than standard router-based access lists and is a critical component of modern network management. The HICP Technical Volumes recommend both small and large health care organizations deploy firewall capabilities in the following areas: on wide area network (WAN) pipes to the internet and perimeter, across data centers, in building distribution switches, in front of partner WAN/VPN connections, and over wireless networks.
HHS also indicates segmenting networks into security zones is a fundamental method of limiting cyberattacks. These zones can be based on sensitivity of assets within the network (e.g., clinical workstations, general user access, guest networks, medical device networks, building management systems) or standard perimeter segmentations (e.g., DMZ, middleware, application servers, database servers, vendor systems).
The HICP Technical Volumes state effective health care cybersecurity programs use vulnerability management to proactively discover vulnerabilities. According to the HICP Technical Volumes, these processes enable the organization to classify, evaluate, prioritize, remediate, and mitigate the technical vulnerability footprint from the perspective of an attacker. The ability to mitigate vulnerabilities before a hacker discovers them gives the organization a competitive edge and time to address these vulnerabilities in a prioritized fashion.
The HICP Technical Volumes stress while most cybersecurity programs begin by implementing controls designed to prevent cyberattacks against an organization’s IT infrastructure and data, it is equally important to invest in and develop capabilities to detect successful attacks and respond quickly to mitigate the effects of these attacks. The HICP Technical Volumes state it is paramount all organizations detect, in near real time, phishing attacks that successfully infiltrate their environment and neutralize their effects before widespread theft of credentials or malware installation occurs.
The HICP Technical Volumes recommend any device connected directly to a patient for diagnosis or therapy should undergo extensive quality control to ensure it is safe for use. Rigorous stipulations, managed by the FDA, are in place for the development and release of such systems. Device manufacturers should comply with regulations regarding the manufacture of connected medical devices. Organizations that purchase devices and use them for the treatment of patients are the clinical providers. The HICP Publication states that given the highly regulated nature of medical devices and the specialized skills required to modify them, it is ill-advised for organizations that deploy medical devices to make configuration changes without the support of the device manufacturer. Doing so may put the health care organization at risk of voiding warranties, result in legal liabilities, and, at worst, harm the patient. Therefore, the HICP Publication recommends traditional security methods used to secure assets cannot necessarily be deployed in the case of medical devices, and the specific sub-practices regarding effective management of connected medical devices should be followed by health care organizations.
The HICP Technical Volumes recommend both small health care organizations and medium to large health care organizations implement cybersecurity policies that describe and the define the following:
The HICP Technical Volume for Small Health Care Organizations is available here.
The HICP Technical Volume for Large Health Care Organizations is available here.
The HICP Publication also includes an appendix of cybersecurity resources for health care organizations to access. The appendix includes a glossary of cybersecurity terms, documents used for cybersecurity assessments, links to government agency resources for cybersecurity guidance, and cybersecurity policies and procedures templates that can be adopted by health care organizations. The appendix to the HICP Publication that includes these resources is available here.
More information regarding the HHS-HSSC led task group and a downloadable copy of the entire HICP Publication is available here. If your organization has questions regarding the HICP Publication, the effectiveness of your cybersecurity practices, or other cybersecurity concerns such as HIPAA compliance, please contact a Dinsmore health care attorney for more information.
 HHS Ransomware Factsheet, available at: https://www.hhs.gov/sites/default/files/RansomwareFactSheet.pdf.
 See, 45 C.F.R. § 164.308(a)(6).
 21 U.S.C. § 321(h).
 The HCIP Technical Volumes reference the EDUCAUSE IAM toolkit for health care organizations looking to implement IAM programs, available here: https://library.educause.edu/resources/2013/5/toolkit-for-developing-an-identity-and-access-management-iam-program/.
 The FDA has published separate recommendations for mitigating and managing cybersecurity threats available here: https://www.fda.gov/medicaldevices/digitalhealth/ucm373213.htm.
Link to article
- IT Outsourcing by Banks and Insurers Facilitated by Revised Regulations
- Reading the Tea Leaves for 2020
- Federal Council Considers Introduction of Cyber Incident Reporting Duty
- "Sunshine Law Shining a Light on Governmental Hospital Transactions" Ken Marlow in The Governance Institute's Public Focus
WSG Member: Please login to add your comment.