In May, 2017, the Department of Health and Human Services (HHS) recognized the unique threat posed to the health sector from cybersecurity attacks which threatened not only systems and infrastructure but the lives of patients. Accordingly they created a Task Force by bringing together a diverse group of more than 150 healthcare and cybersecurity experts with government partners and leaders to assess the specifics of the risk in the health sector. The purpose of the Task Force was to develop “practical, understandable, implementable, industry-led, and consensus-based voluntary cybersecurity guidelines to cost-effectively reduce cybersecurity risks for health care organizations of varying sizes, ranging from local clinics, regional hospital systems, to large health care systems.” (Letter from the HHS Deputy Secretary).
HICP. The new Health Industry Cybersecurity Practices (HICP), introduced in 2018, were formulated and released against the backdrop of a century of Federal standard-setting practices for a diverse range of public and private activities.
NIST (the National Institute of Standards and Technology), founded in 1901, promotes “U.S. innovation and industrial competitiveness by advancing measurement science, standards, and technology in ways that enhance economic security and improve our quality of life.” NIST’s core competencies are measurement science, rigorous traceability, and development and use of standards. The organization has introduced standards and generated inventiveness in areas as diverse as the marketplace, electrical safety, household safety, radiation standards, weather forecasts, solar eclipse pictures, missiles, the atomic clock, dentistry, digitizing the census, free radicals (health-related), the draft lottery, data encryption standards, DNA, and more (see the NIST timeline). Part of their mission is determining and setting cybersecurity best practices and standards.
CSA. As cyberattacks grew quickly in scope from a public nuisance to a serious threat across all critical infrastructure sectors, The Cybersecurity Act of 2015 (CSA) (Public Law 114-113)1 established a “trusted platform and a tighter partnership between the United States (U.S.) government and the private sector . . . ” This law was formulated in the context of NIST standards and guidelines related to cybersecurity. The law strengthened the partnership between government and the private sector; at the same time, it was a recognition of how comprehensively interconnected our society is through technology and the internet and how dependent on the reliability of these interconnections.
Back to HICP. The result of the work of the Task Force created by HHS, published in December 2018, was Health Industry Cybersecurity Practices (HICP): Managing Threats and Protecting Patients. The publication is a response to Section 405(d) of the Cybersecurity Act of 2015 (CSA), which calls for “Aligning Health Care Industry Security Approaches.” The publication details five threats and best practices for mitigation.
A January 2018 post in the HIPAA Journal, “The Top HIPAA Threats Are Likely Not What You Think,” points out that the top cybersecurity threats are employees. The article refers to an IBM X-Force Threat Intelligence Report which points to this surprising statistic: 71% of recorded data breaches in the healthcare industry are attributable to employee actions. Employees responsible for data breaches are divided into two categories – “malicious insiders” (25%) and “inadvertent actors” (46%). These malicious insiders and inadvertent actors correspond to #4 from the HICP document, “intentional” or “accidental” insiders. Since only one (#4) of the five threats mentioned in the HICP document specifically identifies insider threats, that obscures somewhat the overwhelming significance of the role of insiders in threats to the organization and also casts a different light on potential threat management strategies. In fact, employees and other insiders are implicated in all five types of specific threats.
The insider cybersecurity threat is so severe and well-known among cybersecurity consultants that their work begins at the most basic level, sometimes using surprisingly simple, even non-technical, tools for analysis. Identification of vulnerabilities may involve something we will call “the cake technique.” A security consultant on the way to a first evaluative visit to a company stops at a bakery to get a large sheet cake. At the locked entrance (first security checkpoint) when asked for credentials, he points to the cake. He enters without providing credentials and as he takes the cake to a location where he will leave it, surveys the physical setup and spots a vacant desk. After leaving the cake, he returns to the desk, and without anyone realizing what he is doing, hacks into the system and downloads sensitive data onto a disk. He exits the office a few moments later prepared to report about breaches in the most basic level of security, the physical space and the employees within it. When asked about the cake technique, the consultant smiles and responds, “Hey, nobody stops the guy with the cake.” The example is amusing — but the reality is that an employee allowed a potentially malicious hacker into the physical space that held secure data critical to the company, and other employees saw and didn’t question or report the potential threat.
The HICP document outlines mitigation practices specific to each type of threat. What all have in common is that they imply employee screening and training practices and a process that actively engages employees in protecting patients.
Since employees are the greatest threat to your organization and therefore to patient security, employee screening, onboarding training and regular training reviews and updates are critical. Just as critical is a secure environment that follows NIST guidelines, standards and protocols and conforms to legal requirements set out in the Cybersecurity Act of 2018. These standards and legal requirements that apply to cybersecurity are formulated clearly and simply and specifically for the health sector in Health Industry Cybersecurity Practices (HICP).
A proactive approach to cybersecurity is the best protection and is especially critical in the health sector. You’re even better served by a management team with particular expertise in the unique threats to the healthcare industry. Managed service and security professionals provide this kind of proactive IT management.
The IT plan for your healthcare business will include putting systems in place to protect your sensitive data and ensure compliance, regular reviews of your technology setup and IT security, risk analyses and checks for vulnerabilities to maintain your company’s security in an ever-changing security landscape, and new protocols as the security environment changes.
If you have questions about cybersecurity best practices for your healthcare business or would like to explore how to provide patients or your organization with the best possible protection from cybersecurity threats, please contact us.