At the close of 2018, the Department of Health and Human Services (HHS) published Health Industry Cybersecurity Practices (HICP): Managing Threats and Protecting Patients. While not formally styled as guidance or interpretive material, when the primary regulator of patient and health data protection offers “suggestions,” those subject to HIPAA had better pay attention. Beyond highlighting common threats to the protection of patient data, the HICP encompasses two supplemental technical volumes centering on small organizations and medium and large organizations.
Healthcare and life sciences organizations (particularly manufacturers of medical devices) are no longer surprised when they receive communications from the Department of Homeland Security with respect to particular security vulnerabilities. And so, the HICP comes not from the Office of Civil Rights (OCR) but rather from the HHS Office of the Assistant Secretary for Preparedness and Response (ASPR), which describes its mission as “saving lives and protecting Americans from 21st century health security threats.” In addition to its disaster response and public health responsibilities, the ASPR was tasked by Section 405(d) of the Cybersecurity Act of 2015 (CSA) to establish a public-private task force to develop a common set of voluntary, consensus-based, and industry-led best practices, methodologies, and procedures for reducing cybersecurity risks for a range of healthcare organizations.
Until now, best practices for HIPAA security were largely driven by HITRUST and the U.S. Commerce Department’s National Institute of Standards and Technology (NIST), which provides standards in the governmental context that have been increasingly adopted by the private sector as reliable benchmarks. These will doubtless continue to be important forces, and a promised strength of the HICP is that it derives from an open, voluntary public-private effort.
HHS HICP Recommendations
The official goal of the HICP is “to foster awareness, provide practices, and move towards consistency within the [healthcare and public health] sector in mitigating the current most impactful cybersecurity threats.” The HICP approaches this by framing the conversation in terms of high-profile, largely familiar threats that we see in the news so often. In particular, the health sector has demonstrated risk with respect to i.) e-mail phishing attacks, ii.) ransomware attacks, iii.) loss or theft of equipment or data, iv.) insider, accidental, or intentional data loss, and v.) attacks against connected medical devices that may affect patient safety.
In promoting awareness of these threats, the HICP brings nothing new to the purview of larger healthcare systems, which are more likely to have the resources and technical capabilities to recognize and begin to combat such issues. Swaths remain in the industry, however, that have neither the awareness nor the first ideas of how to protect sensibly against such concerns. And then too, there are the myriad startups and emerging growth health-tech firms that might have awareness but lack resources or a sense of how to prioritize limited funds.
For these stakeholders, the HICP can be most helpful, along with the NIST Cybersecurity Framework, which we have discussed here. The HICP generally and the supplemental volumes address ten core practices that organizations should consider. These are:
- E-mail protection systems
- Endpoint protection systems
- Access management
- Data protection and loss prevention
- Asset management
- Network management
- Vulnerability management
- Incident response
- Medical device security
- Cybersecurity policies
These practice recommendations are consistent with the NIST Cybersecurity Framework.
So what is a healthcare organization to do? Without joking too much, the first step is to acknowledge that you have an issue (if not a problem). Too many organizations seem to genuinely believe that “it” will not happen to them, or that “its” impact will be minimal. That misbelief needs to go. Secondly, read the Cybersecurity Framework and the HICP, which have the benefit of being written largely in layman’s terms. Finally, speak with a trusted advisor and discuss how to at least prioritize your organization’s response to threats, and to understand what risk you are likely facing. The so-called ostrich approach is successful for relatively few.