The new Health Industry Cybersecurity Practices (HICP)

In May, 2017, the Department of Health and Human Services (HHS) recognized the unique threat posed to the health sector from cybersecurity attacks which threatened not only systems and infrastructure but the lives of patients. Accordingly they created a Task Force by bringing together a diverse group of more than 150 healthcare and cybersecurity experts with government partners and leaders to assess the specifics of the risk in the health sector. The purpose of the Task Force was to develop “practical, understandable, implementable, industry-led, and consensus-based voluntary cybersecurity guidelines to cost-effectively reduce cybersecurity risks for health care organizations of varying sizes, ranging from local clinics, regional hospital systems, to large health care systems.” (Letter from the HHS Deputy Secretary).

HICP. The new Health Industry Cybersecurity Practices (HICP), introduced in 2018, were formulated and released against the backdrop of a century of Federal standard-setting practices for a diverse range of public and private activities.

NIST (the National Institute of Standards and Technology), founded in 1901, promotes “U.S. innovation and industrial competitiveness by advancing measurement science, standards, and technology in ways that enhance economic security and improve our quality of life.” NIST’s core competencies are measurement science, rigorous traceability, and development and use of standards. The organization has introduced standards and generated inventiveness in areas as diverse as the marketplace, electrical safety, household safety, radiation standards, weather forecasts, solar eclipse pictures, missiles, the atomic clock, dentistry, digitizing the census, free radicals (health-related), the draft lottery, data encryption standards, DNA, and more (see the NIST timeline). Part of their mission is determining and setting cybersecurity best practices and standards.

CSA. As cyberattacks grew quickly in scope from a public nuisance to a serious threat across all critical infrastructure sectors, The Cybersecurity Act of 2015 (CSA) (Public Law 114-113)1 established a “trusted platform and a tighter partnership between the United States (U.S.) government and the private sector . . . ” This law was formulated in the context of NIST standards and guidelines related to cybersecurity. The law strengthened the partnership between government and the private sector; at the same time, it was a recognition of how comprehensively interconnected our society is through technology and the internet and how dependent on the reliability of these interconnections.

Back to HICP. The result of the work of the Task Force created by HHS, published in December 2018, was Health Industry Cybersecurity Practices (HICP): Managing Threats and Protecting Patients. The publication is a response to Section 405(d) of the Cybersecurity Act of 2015 (CSA), which calls for “Aligning Health Care Industry Security Approaches.” The publication details five threats and best practices for mitigation.

Top Five Cybersecurity Risks to the Health Sector

1. Email Phishing Attack. Email phishing is an attempt to trick the recipient of the email into giving out sensitive information. The phishing email seems to come from a trusted source and includes an active link or file, usually a graphic or picture. Clicking to open the link will take the user to a page that solicits sensitive information or infects the user’s computer. To the extent that computers are part of networks of one kind or another, generally the case, the computer becomes an access point to an entire network of other devices.
2. Ransomware Attack. The HHS Ransomware Factsheet, available at https://www.hhs.gov/sites/default/files/RansomwareFactSheet.pdf, defines ransomware as follows: “Ransomware is a type of malware (malicious software) distinct from other malware; its defining characteristic is that it attempts to deny access to a user’s data, usually by encrypting the data with a key known only to the hacker who deployed the malware, until a ransom is paid. After the user’s data is encrypted, the ransomware directs the user to pay the ransom to the hacker (usually in a cryptocurrency such as Bitcoin) in order to receive a decryption key.”
3. Loss or Theft of Equipment or Data. Equipment and data theft is widespread, “an ever-present and ongoing threat for all organizations. From January 1, 2018, to August 31, 2018, the Office for Civil Rights received reports of 192 theft cases affecting 2,041,668 individuals.” Loss of an expensive device with information the user values is difficult enough, but it is an even greater — and potentially more dangerous — loss to the extent the device contains sensitive data. And a device that is not properly safeguarded with password and other protections can not only yield sensitive data to a hacker but can become an access point to a wider network of information.
4. Insider, Accidental, or Intentional Data Loss. “Insider threats exist in any organization where employees, contractors or other users access the organization’s technology infrastructure, network, or databases.” We will explore these insider threats more extensively in a moment, but for now, we will note two kinds of insider threats: accidental (through mistakenly opening a phishing email or other accidental security breaches) and intentional, for personal gain or to inflict harm on the organization or another individual.
5. Attacks Against Connected Medical Devices That May Affect Patient Safety. One of the unique cybersecurity threats to the health sector is attacks against connected medical devices. Considering the wide range of devices that might be involved in “the cure, mitigation, treatment, or prevention of disease” and the ways these devices are interconnected with each other and with patients in a wide variety of scenarios, it is easy to imagine how an attack could be life-threatening. The HICP document provides this example: “A cyber attacker gains access to a care provider’s computer network through an e-mail phishing attack and takes command of a file server to which a heart monitor is attached. While scanning the network for devices, the attacker takes control (e.g., power off, continuously reboot) of all heart monitors in the ICU, putting multiple patients at risk.” What if patients with heart monitors are at that moment in surgery or in the middle of other procedures?

Topping (and Including) the Top Five

A January 2018 post in the HIPAA Journal, “The Top HIPAA Threats Are Likely Not What You Think,” points out that the top cybersecurity threats are employees. The article refers to an IBM X-Force Threat Intelligence Report which points to this surprising statistic: 71% of recorded data breaches in the healthcare industry are attributable to employee actions. Employees responsible for data breaches are divided into two categories – “malicious insiders” (25%) and “inadvertent actors” (46%). These malicious insiders and inadvertent actors correspond to #4 from the HICP document, “intentional” or “accidental” insiders. Since only one (#4) of the five threats mentioned in the HICP document specifically identifies insider threats, that obscures somewhat the overwhelming significance of the role of insiders in threats to the organization and also casts a different light on potential threat management strategies. In fact, employees and other insiders are implicated in all five types of specific threats.

The insider cybersecurity threat is so severe and well-known among cybersecurity consultants that their work begins at the most basic level, sometimes using surprisingly simple, even non-technical, tools for analysis. Identification of vulnerabilities may involve something we will call “the cake technique.” A security consultant on the way to a first evaluative visit to a company stops at a bakery to get a large sheet cake. At the locked entrance (first security checkpoint) when asked for credentials, he points to the cake. He enters without providing credentials and as he takes the cake to a location where he will leave it, surveys the physical setup and spots a vacant desk. After leaving the cake, he returns to the desk, and without anyone realizing what he is doing, hacks into the system and downloads sensitive data onto a disk. He exits the office a few moments later prepared to report about breaches in the most basic level of security, the physical space and the employees within it. When asked about the cake technique, the consultant smiles and responds, “Hey, nobody stops the guy with the cake.” The example is amusing — but the reality is that an employee allowed a potentially malicious hacker into the physical space that held secure data critical to the company, and other employees saw and didn’t question or report the potential threat.

Managing Threats and Protecting Patients

The HICP document outlines mitigation practices specific to each type of threat. What all have in common is that they imply employee screening and training practices and a process that actively engages employees in protecting patients.

1. Phishing. To avoid becoming the dupe of a phishing scheme, an employee should ask a series of questions before opening emails that contain links: Do you know the sender? Are there any spelling or grammatical errors, or any other indicators that the tone or style of the e-mail is off? Before clicking on a link, did you hover over it to see the URL destination? Do you know the sender, or are you suspicious of the e-mail? If in doubt, do NOT open any attachments. What are my organization’s processes for reporting suspicious e-mails? Beyond that, employees can check with colleagues to see if they received similar emails — or with their IT security team. Are there protocols in place to reject the kind of email in question?
2. Ransomware Attack. Most ransomware attacks occur through phishing emails, so due-diligence means employees must ask the questions listed under Phishing, #1 above. In addition, a proactive approach includes employees checking with IT professionals to be certain the computer and network to which they are connected has an intrusion prevention system or software. If an employee becomes aware that a computer in use has become infected, or mistakenly responds to a phishing email, the employee must know to immediately disconnect the computer from the network and contact the IT team. They should also be instructed not to shut down the computer because the IT investigation may need to access information left by the malware.
3. Loss or Theft of Equipment or Data. In this case, employees should be instructed to immediately notify IT security support staff or a similar point of contact when a work device or equipment has been misplaced, lost, or stolen. Such loss or theft means the device compromises the entire system. It is a serious security breach and must be managed by IT professionals. Taking a device out of the office is a major responsibility, and employees should ask these questions first: Can I travel with my equipment? Can I take my equipment offsite to work remotely? Are USB or other portable storage devices allowed? Is the information on my computer or storage device encrypted? Is there a secure virtual private network (VPN) that I can use, along with secure, password-protected Wi-Fi, to log into the network and work?
4. Insider, Accidental, or Intentional Data Loss. Preventing loss through insiders can be summed up in two short phrases. See something? Say something! (Remember the “cake technique” and how employees missed an obvious intrusion). Other than that, internal IT standards and protocols coupled with employee training and engagement as discussed in the next section, are critical.
5. Attacks Against Connected Medical Devices That May Affect Patient Safety. Organizational protocols in case of a potential shutdown or attack against medical devices must be in place and well-known to staff. Processes and procedures include knowing how patients will be notified if their medical devices are compromised. Similarly, patients should be informed how to notify the appropriate authority if they suspect their medical devices are compromised.

Most Important Management & Mitigation Practices

Since employees are the greatest threat to your organization and therefore to patient security, employee screening, onboarding training and regular training reviews and updates are critical. Just as critical is a secure environment that follows NIST guidelines, standards and protocols and conforms to legal requirements set out in the Cybersecurity Act of 2018. These standards and legal requirements that apply to cybersecurity are formulated clearly and simply and specifically for the health sector in Health Industry Cybersecurity Practices (HICP).

A proactive approach to cybersecurity is the best protection and is especially critical in the health sector. You’re even better served by a management team with particular expertise in the unique threats to the healthcare industry. Managed service and security professionals provide this kind of proactive IT management.

The IT plan for your healthcare business will include putting systems in place to protect your sensitive data and ensure compliance, regular reviews of your technology setup and IT security, risk analyses and checks for vulnerabilities to maintain your company’s security in an ever-changing security landscape, and new protocols as the security environment changes.

If you have questions about cybersecurity best practices for your healthcare business or would like to explore how to provide patients or your organization with the best possible protection from cybersecurity threats, please contact us.