Straight from the Experts: Cybersecurity Professionals Release Best Practices for Healthcare
Throughout the healthcare industry, executives tasked with the daunting challenge of reducing cybersecurity risks in their respective patient care organizations are often left searching for answers and new best practices to mitigate these increasing threats.
This is why the Cybersecurity Act of 2015 set forth a mandate for industry leaders to develop practical cybersecurity guidelines with the aim to cost-effectively reduce cybersecurity risks across the sector. In late December, the Department of Health and Human Services (HHS) released the “Health Industry Cybersecurity Practices (HICP): Managing Threats and Protecting Patients” publication—a four-volume issue that outlines voluntary cybersecurity practices to healthcare organizations of all types and sizes, ranging from local clinics to large hospital systems.
The publication marks the culmination of a two-year effort that brought together over 150 cybersecurity and healthcare experts from industry and the government under the Healthcare and Public Health (HPH) Sector Critical Infrastructure Security and Resilience Public-Private Partnership. Erik Decker, industry co-lead on the publication and chief information security and privacy officer for the University of Chicago Medicine, recalls that in late 2016, HHS pulled together a task group to tackle this problem, and at the first meeting the following May, nearly 70 people gathered to brainstorm ideas on how to meaningfully move the cybersecurity needle across the health sector.
“The [core] takeaway from that meeting was that we cannot boil the ocean; this is a big problem with lots of moving parts. So, our approach was to first start with the biggest threats, limit them to a top five that we feel we all face, and then ultimately profile out the different types healthcare organizations in the sector, the assets inside of those organizations, and the vulnerabilities that those assets have,” explains Decker.
From there, the task force took to identifying 10 best practices, assuming the group could limit them to just 10, that mitigate those threats, says Decker. “We came up with that exercise and approach in May 2017 and in the seven sessions that took place in the 18 months following, we went through the process of building out those best practices, stratifying them by small, medium and large organizations, and ultimately applying a how-to guide to implementing those practices based on the size of your organization.”
The first volume of the publication discusses the current cybersecurity threats facing the healthcare industry, while setting forth a call to action for executive decision makers, with the goal of raising general awareness of the issue. The subsequent volumes get into the best practices and sub-practices for organizations of each size. While the main document is designed for C-suite healthcare executives, hospital and health system boards, and clinicians themselves, the publication also includes two technical volumes geared for IT and IT security professionals, Decker says.
The five threats explored in this document are: e-mail phishing attacks; ransomware attacks; loss or theft of equipment or data; insider, accidental or intentional data loss; and attacks against connected medical devices that may affect patient safety.
Meanwhile, the 10 broad practices to mitigate these threats are: e-mail protection systems; endpoint protection systems; access management; data protection and loss prevention; asset management; network management; vulnerability management; incident response; medical device security; and cybersecurity policies.
Decker notes that the publication is a “working document,” as mandated by Congress, and that the task force has already started the second version of it. He also adds that the group built build a tool that aims to help organizations prioritize their threats based on the top-five threats. “So they can ask themselves, ‘Which ones are we most concerned with now based on our current state?’ while giving them the ability to rank the threats to give a priority order regarding the best practices to implement.”
As the main portion of the document states, “The intent of these cybersecurity practices is not to introduce a new framework, new methodology, or new regulatory requirement into the cybersecurity space, but rather to introduce guidance that will help raise the cybersecurity floor across the healthcare industry regarding our defensive and responsive cybersecurity practices.” It continues, “While the thought of risking patient safety to a cyber-attack is terrifying for any healthcare professional, it can be difficult to justify investments in cybersecurity when there are pressing opportunities to invest in equipment, materials, training, and personnel, which more visibly relate to patient care.”
To this end, Decker believes that industry wide, investing enough resources in cybersecurity is not where it needs to be and remains a huge challenge. “I am privileged that my organization is highly supportive of [our] cybersecurity program and has invested resources into it. But we are not the norm; even at the large systems it’s a struggle to get the [proper] investments,” he admits, adding that many small and medium-sized practices don’t have a dedicated security professional, “outside of some IT people that help them setup systems and then walk away.” The medium-sized organizations, such as critical access and rural hospitals, “are working off such thin margins, or they are losing money outright, so for them, putting a dollar into cyber versus a dollar into patient care is a very hard decision to make.”
Speaking to the open digital ecosystem that healthcare is increasingly becoming, and that has made the sector an easier target since data is online, Decker contends that having strong governance and risk management strategies in place is now necessary. “Part of the challenge is that there is a growing need to go digital in healthcare. We have to do that, and we have to manage the cost-benefit analysis of this as it pertains to cybersecurity. These programs ultimately need to be supportive of that growth and help enable the business,” he says.
Decker further advises to “set parameters by which you will determine the bare baseline requirements inside your program that are absolute necessities—the non-negotiables—as well as the [elements] that are negotiable.” He adds, “And that’s where your risk evaluations and risk equations come in, along with your acceptance and tolerance levels. It’s not possible to be perfect or prevent everything. It would hinder a CISO to step in and demand that XYZ innovation be stopped—that will bring the institution behind the times, when the opposite is needed.”
He also believes that it’s the chief information security officer’s responsibility to cultivate partnerships across the enterprise, so that every department is on the same page at all times. “CISOs have to have good relationships everywhere, with their clinical leaders, the C-suite, administrative leadership, business leadership, and the board. There isn’t a single vice president in my organization who I don’t know.”
