With the top cybersecurity risks threatening the healthcare industry, how does a healthcare entity help mitigate those threats?
One way is to use the approaches promulgated under Section 405(d) of the Cybersecurity Act of 2015. The 405(d) task force released the Healthcare Industry Cybersecurity Practices (HICP) in late 2018 to address the top cybersecurity threats. HICP was updated just recently in April 2023. HICP’s goal is to develop consistent approaches to address the top cybersecurity threats specific to healthcare. HICP identifies 10 Cybersecurity Practices to help mitigate threats.
These 10 Cybersecurity Practices are:
- Cybersecurity Practice #1: E-mail Protection Systems
- Cybersecurity Practice #2: Endpoint Protection Systems
- Cybersecurity Practice #3: Identity and Access Management
- Cybersecurity Practice #4: Data Protection and Loss Prevention
- Cybersecurity Practice #5: IT Asset Management
- Cybersecurity Practice #6: Network Management
- Cybersecurity Practice #7: Vulnerability Management
- Cybersecurity Practice #8: Security Operations Center and Incident Response
- Cybersecurity Practice #9: Medical Device Security
- Cybersecurity Practice #10: Cybersecurity Policies
HICP was developed and continues to be updated by a wide spectrum of professionals—such as CEOs, CISOs, hospital administration, doctors, and nurses—across the healthcare industry from both private and public sectors. This process focused on keeping the cybersecurity practices simple and prescriptive along with providing a starting point for addressing cybersecurity threats.
Not only was the process developed for broad consumption, but HICP has two technical volumes with the first focused on Small Healthcare Organizations and the second focused on Medium and Large Healthcare Organizations. This helps organizations compare themselves to their peers. Remember not to be intimidated by the word “technical” in technical volume; these technical volumes are written in plain English for all professionals who work in healthcare.
HICP provides general guidance where an organization would fit:
Small | Medium | Large | |
---|---|---|---|
Size (provider) | 1–10 physicians | 11–50 physicians | More than 50 physicians |
Size (acute/post-acute) | 1–25 providers | 26–500 providers | More than 500 providers |
Size (hospital) | 1–50 beds | 51–299 beds | More than 300 beds |
Complexity | Single practice or care site | Multiple sites in extended geographic area | Integrated delivery networks Participate in accountable care organization or clinically |
Each of the Cybersecurity Practices is broken down into Sub-Practices and Threats Mitigated, and for the Medium and Large Healthcare Organization technical volumes, it provided Suggested Metrics.
Each Cybersecurity Practice can have multiple Sub-Practices. For example, Cybersecurity Practice #1: E-mail Protection Systems has the following:
- Three Sub-Practices for Small Healthcare Organizations:
- 1.S.A Email System Configuration
- 1.S.B Education
- 1.S.C Phishing Simulation
- Four Sub-Practices for Medium Healthcare Organizations:
- 1.M.A Basic E-mail Protection Controls
- 1.M.B MFA for Remote Access
- 1.M.C E-mail Encryption
- 1.M.D Workforce Education
- In addition, there are three Sub-Practices for Large Healthcare Organizations:
- 1.L.A Advanced and Next Generation Tooling
- 1.L.B Digital Signatures Practices
- 1.L.C Analytics Driven Education
The expectation would be that a Large Healthcare Organization would implement all 10 sub-practices for Cybersecurity Practice #1: E-mail Protection Systems.
Each Cybersecurity Practice will help mitigate key threats. For example, Cybersecurity Practice #1: E-mail Protection Systems addresses 1) social engineering, 2) ransomware attacks, and 3) insider, accidental, or malicious data loss.
Finally, each Cybersecurity Practice within the Medium and Large Healthcare Organizations technical volume lists out Suggest Metrics, which can be used to answer the proverbial question of how well you are doing.
Some of the Suggested Metrics include:
- Number of malicious phishing attacks prevented on a weekly basis, compared to total email volume
- Percentage of users in your organization who are susceptible to phishing attacks based on the results of internal phishing campaigns
- Percentage of users who report suspected messages received during a phishing campaign
Not only does HICP address the top cybersecurity threats, but it also is a recognized security practice as noted in the 2021 HIPAA amendment.
HICP identifies 10 Cybersecurity Practices to address most of the risk to a healthcare organization. These 10 Cybersecurity Practices prescribe a simple starting point, a way to evaluate what your organization should do at a minimum; and provide Suggested Metrics to measure how well the Cybersecurity Practices are functioning.
If you have any questions or need assistance, please reach out to a professional at Forvis Mazars.