The Department of Health and Human Services released its Health and Public Health Sector (HPH) cyber performance goals and proposed common baseline are designed to ensure the safe and reliable operation of critical infrastructure in healthcare and help network defenders with meeting key objectives, while improving the state of cyber resilience in the industry, overall.
The Cyber Performance Goals are a definitive step in HHS’s plans to strengthen critical infrastructure, including healthcare and its hospitals, patients, and communities from ongoing cyberattacks. The measures may serve as a model for incentivizing provider organizations with their cybersecurity investments in the future.
The standards are rooted in the HHS 405(d) Task Group Health Industry Cybersecurity Practices (HICP), arguably the most crucial cybersecurity resource for healthcare provider organizations. Created in partnership with more than 150 healthcare and cybersecurity leaders, the five-volume framework supports healthcare entities, of all sizes, with addressing the biggest risks facing the sector through tailored mitigating practices.
The framework supports the processes for implementing and adopting cyber practices based on the NIST Cybersecurity Framework, rather than the Health Insurance Portability and Accountability Act (HIPAA), centered around the most relevant and cost-effective ways to bolster cybersecurity across the enterprise. A 2023 update also includes the top threats facing the sector: Social engineering, ransomware, theft or loss of equipment, data loss, and network cyberattacks against medical devices.
By relying on the tailored, step-by-step guidance outlined in HICP and/or NIST CF, healthcare entities can not only reduce the risk to the enterprise and improve their overall risk posture, organizations may also meet these standards to the benefit of their business and the patients they serve.
Schedule a Meeting with an Expert in HPH CPGs and HICP
While resources and staffing may be constrained during this time of economic uncertainty, threat actors are continuing to target the healthcare sector in force with at least a dozen healthcare entities and associated clinics forced into electronic health record (EHR) downtime during the first half of 2023 alone. Data confirms that these outages can cost larger entities an average of $1 million per day in lost revenue and recovery costs, when systems are forced offline, patient safety, care morbidity due to delays, and care quality are at stake.
Fortunately, the passage of the Safe Harbor Act in 2021, HHS will now take into account a provider’s use of industry-standard security practices within 12 months of a reported security incident, when it audits the entity to determine possible enforcement actions. These measures are effectively spelled out for providers in the HICP.
First Health Advisory is not only an advocate for Congressional action to incentivize the healthcare sector in taking these necessary steps. Its industry experience and partnerships also support entities with:
- HICP Alignment Appraisals
- A continuous Enterprise IT Security Risk Assessment and Engineering program service, which efficiently identifies security risks to healthcare organizations. Working with the entity’s IT department, First Health plans, prioritizes, and implements risk-reducing solutions to create a constant cycle to keep network-connected digital assets secure.
- CISO Strategy & Support Program: For entities with established cybersecurity processes looking to improve program management and endpoint hardening may find support. First Health’s team of tenured CISOs and seasoned executives with deep healthcare security, privacy, compliance, and risk management experience can take on overflow initiatives, which support entities with keeping security programs in pace with evolving threats and improving overall cyber hygiene.
First Health also offers an Enterprise Cybersecurity and 405(d) Assessment for enterprise and government health entities, which includes a security assessment and method for keeping the assessment continuously current to improve security agility and simplify resource planning.
Using 405d (HICP) to Guide Your Cybersecurity Program
First Health Advisory Supports Adherence to HICP’s 10 Prioritized Practices:
These 10 prioritized practices strengthen healthcare entities’ cybersecurity capabilities by enabling clients to assess and set goals for their cyber capabilities, sharing knowledge, common practices, and appropriate references to improve competencies and empower organizations to prioritize actions and investments —knowing what to ask — to improve cyber resiliency and posture.
End users are one of, if not the riskiest point, of entry into an organization. As HHS names social engineering and ransomware as two of the five top threats facing the sector (both of which can be sent via email), securing these systems with additional controls should be a top focus.
(desktops, laptops mobile, connected devices)
“Because technology is highly mobile, computers are often connected to and disconnected from an organization’s network.” Providers are rapidly driving digital innovation to enhance patient care, leading to the rapid influx of endpoints through connected devices, laptops, desktops, and other connected hardware. But without digital maturity, the vast number of endpoints put entities at risk.
Identity & Access Management
Securely identifying users and enabling network access is a challenge in all sectors, but in healthcare, the sheer volume of employees and vendors complicates how providers can effectively determine access requirements and ensure secure processes for identity and access.
Data Protection/Loss Prevention
Physical and Electronic PHI Security
Data breaches in healthcare are among the most common in all industries. In fact, the 10 largest incidents reported this year impact over 1 million patient records each. These incidents commonly spur patient lawsuits, operational disruptions, and compliance headaches.
IT Asset Management (ITAM)
Cyber Hygiene Controls
One of the most overwhelming blind spots is connected clinical assets: operational technology or medical devices. As healthcare’s digital transformation continues to simultaneously create even greater vulnerabilities, IT asset management is mission critical.
Network Management & Security
Wireless or wired connections
The typical hospital network is ultra diverse, composed of typical corporate devices and servers that must also seamlessly communicate with a spectrum of medical devices, patient care systems, and vendor-connected devices, which means networks must be securely established.
“This process uses a scanning capability, often provided by an EHR or IT support vendor, to proactively scan devices and systems in your organization.” As with IT asset management, a thorough inventory of devices and other assets is critical to ensuring prompt vulnerability and patch management. But most provider entities struggle to keep pace with these critical processes, leaving gaps for threat actors to exploit.
Security Operations Center & Incident Response
Common threats outlined by HICP include phishing attacks with malicious payloads and malware attacks/deployment. Reports confirm attacks against the healthcare sector have remained consistent while evolving tactics to evade detection, exploiting unpatched flaws, and targeting workforce members and clinicians with phishing and other malware-based attacks.
Network Connected Medical Device Security
Network Connected Medical Device Security Includes endpoint protection controls, IAM, asset management, vulnerability management, medical device management security terms added to contracts with vendors. With the explosion of digital innovation, the number of network-connected medical devices has reached an all-time high. These high-tech tools are imperative for patient care, but bring a tremendous amount of risk without effective controls and management.
Cybersecurity Oversight & Governance
“Establishing and implementing cybersecurity policies, procedures, and processes is one of the most effective means of preventing cyberattacks.”
As with all security measures, vulnerabilities and system weaknesses will continue without effective policies and procedures to ensure vendors and workforce members understand and adhere to established best practices.
Third-party risk management falls under the Cybersecurity Oversight & Governance category, as proper oversight and governance ensure third parties understand expectations and access requirements. It also falls under Email Protection as most small practices leverage third-party email systems.