January 2, 2019

Healthcare organizations have an excellent opportunity to recharge their commitment to safe, secure health information systems in the coming year by aligning their cybersecurity practices with best practices across the healthcare sector. A new publication from the Department of Health and Human Services is designed to help providers achieve this cohesion and unite the industry as it grapples with a seemingly endless stream of increasingly sophisticated cyber threats.

The publication, Health Industry Cybersecurity Best Practices: Managing Threats and Protecting Patients, represents the culmination of more than two years of work by a task group formed under the auspices of the Cybersecurity Act of 2015, Section 405(d), which calls for aligning healthcare industry security approaches to reduce cybersecurity risks for a range of different kinds of healthcare organizations.

The CSA 405(d) task group solicited input from a broad range of industry stakeholders to develop a common set of voluntary, consensus-based, industry-led guidelines, practices, methodologies, procedures and processes for healthcare organizations of all sizes. The publication includes technical volumes for small healthcare organizations and for medium and large healthcare organizations; resources and templates for end users; and a toolkit to help organizations prioritize their cybersecurity threats and develop action plans.

In a foreword, the 405(d) task group said that it chose to zero in on the most significant current cybersecurity threats as the best strategy to move “the cybersecurity needle” for a broad range of organizations, knowing that it could not feasibly address every cybersecurity challenge across the sector in a single publication.

“The healthcare industry is truly a varied digital ecosystem. We heard loud and clear through this process that providers need actionable and practical advice, tailored to their needs, to manage modern cyber threats. That is exactly what this resource delivers; recommendations stratified by the size of the organization, written for both the clinician as well as the IT subject matter expert,” Erik Decker, industry co-lead and chief information security and privacy officer for the University of Chicago Medicine, said in an HHS statement.

The publication explores five of the most significant current cyber threats to the healthcare industry and recommends 10 Cybersecurity Practices to help mitigate them. Included are real-life examples and statistics illustrating the financial and human impact of cyber incidents. The main document also issues a call to action for the entire sector, including C-suite executives, clinicians and health information technology professionals, regarding the immediate urgency of enhancing protective and preventive cybersecurity measures.

The five threats explored in the document are:

• Email phishing attacks
• Ransomware attacks
• Loss or theft of equipment or data
• Insider, accidental or intentional data loss
• Attacks against connected medical devices that may affect patient safety

The 10 Cybersecurity Practices detailed in the technical volumes accompanying the main document are:

• E-mail protection systems
• Endpoint protection systems
• Access management
• Data protection and loss prevention
• Asset management
• Network management
• Vulnerability management
• Incident response
• Medical device security
• Cybersecurity policies

The publications are available at the CSA 405(d) website, here.