Healthcare cybersecurity has been elevated and prioritized in the last four months like at no other time. We’ve had influential lawmakers equate cybersecurity in importance with patient safety. There was also the inclusion of the PATCH Act in the 2023 Omnibus Appropriations Bill that put medical device vendors on notice that minimum cybersecurity requirements must be met when submitting devices to the FDA for approval. Those requirements include vital—and missing until then—processes for regularly addressing post-market vulnerabilities and out-of-band fixes for critical bugs, as well as spelling out the need for transparency with regard to the software components used in medical devices.
Today, another substantial milestone was achieved with publication of the Section 405(d) Task Group’s Health Industry Cybersecurity Practices (HICP). The extensive publication is the first HICP update in more than two years; it identifies top cybersecurity threats to the healthcare industry, and 10 blocking-and-tackling mitigation practices and sub-practices aimed at not only larger, more resourced organizations, but also smaller healthcare providers.
For an industry under siege from a global pandemic and opportunistic attackers levying relentless ransomware attacks at vulnerable healthcare delivery organizations, the 405(d) publication can provide some relief by spelling out meaningful objectives and outcomes for HDOs. Furthermore, while the HICP is not a regulatory mandate, for HDOs capable of attesting to following these recommended security practices, the U.S. Department of Health and Human Services said it would take into consideration providing relief from fines for violations, terminate audits, or mitigate conditions proposed for resolution agreements.
The HICP is a voluntary set of practices that are aligned to current threats affecting HDOs; recently it was recommended by witnesses in a recent Homeland Security & Governmental Affairs Committee hearing as the best practices for an incentive program to move cyber hygiene forward in healthcare.
The HICP is closely aligned to the NIST Cybersecurity Framework, and is meant as a reference document for healthcare cybersecurity teams looking to kick off or enhance their programs. The publication includes:
Health Industry Cybersecurity Practices: Managing Threats and Protecting Patients (main document)
Technical Volume 1: Cybersecurity Practices for Small Healthcare Organizations
Technical Volume 2: Cybersecurity Practices for Medium and Large Healthcare Organizations.
Also included is reference material, resources, templates, and a practices assessment toolkit. Thematically, the publication is structured in alignment to the top threats and cybersecurity practices aimed at blunting those threats each with varying degrees of sophistication according to the size and maturity of the healthcare organization.
The top five threats facing healthcare organizations according to the HICP document are:
Social engineering (replacing email phishing)
Loss or theft of equipment or data
Accidental, incidental or malicious data loss
Attacks against network connected medical devices
The top 10 recommended security practices in the document are:
Email protection systems
Endpoint protection systems
Identity and access management
Data protection and loss prevention
IT asset management
Security operations center and incident response
Network connected medical devices (fully updated with new sub-practices)
Cybersecurity oversight and governance (updated from the last version)
Several noteworthy revisions and modifications have been made to both threats and security practices in order to align the document with current threats and standards that we’ll cover here:
In the main HICP document, social engineering now encompasses phishing attempts and mitigations, as well as other commodity threats such as smishing, whaling, and business email compromise.
Successful social engineering attacks have been the launchpad for countless network incursions. Sophisticated messaging, whether over email, SMS, or social media can coerce victims into surrendering credentials to critical systems, or fall victim to exploits targeting commodity vulnerabilities.
Attackers adept at social engineering can leverage these attacks to gain a foothold on networks or devices, leading to loss of electronic medical records, or in a worst-case scenario, negatively impact patient care.
Cybersecurity Practice No. 9: Network connected medical devices has been updated throughout with new sub-practices addressing risks posed by connectivity. Diagnostic and therapeutic medical devices such as patient monitoring systems or infusion pumps, respectively, play a central role in patient care and safety. They generate life-saving information that must be securely transmitted and stored; devices must also be safe from manipulation in order to prevent unwanted changes to diagnosis and treatment.
Here, the HICP reinforces how cyber-physical systems and connected internet of things (IoT) devices can make changes to physical systems and must be explicitly recognized from security and data protection aspects. The document also specifies how the IT CIA triad of confidentiality, integrity, and availability does not directly correlate with IoT and even operational technology (OT), whose requirements center on reliability, availability, and safety.
The updated sub-practices reflect the necessary controls to maintain patient safety, device effectiveness and security, data security and its privacy implications to the patient. To that end, users will see updates for medium-sized organizations around medical device management, endpoint protection, asset (device discovery) and vulnerability management (categorization of flaws via CVEs for patching prioritization), and access controls (zero-trust architectures). Larger organizations would benefit from updates made to the security operations and incident response sections, as well as new procurement and security evaluations sections.
Cybersecurity Practice No. 10: Cybersecurity Oversight and Governance also received a major revision, primarily focusing on the needs and capabilities of smaller organizations in Technical Volume 1, and larger organizations in Technical Volume 2.
Sub-practices on policies (re-aligning scope to meet the resource capabilities of the HDO) and security awareness and training (now includes security policy training) were updated. New sub-practices in this section focus on cybersecurity insurance and risk assessment and management.
Cyber insurance has been gaining popularity among security and risk management officials who are proactively seeking out coverage and desperately trying to understand coverages, exceptions, and risk transference. Ransomware is a big driver of cyber insurance’s current surge, particularly among healthcare organizations, which are an appealing target to attackers because of their perceived willingness to meet ransom demands in order to ensure not only business continuity but also prevent delays in patient care.
The HICP lists what countermeasures insurance underwriters expect to see before offering coverage, and lists out a half-dozen questions to ask providers in order to properly assess their policies and coverage.
Finally, the HICP covers risk assessments and risk management, from a framework and process point of view. It lists out numerous NIST frameworks including the NIST 800-30 and the NIST CSF that can be used to conduct risk assessments; it also stresses the need to identify IT and connected IoT and OT assets in order to get a full view of potential weaknesses that exacerbate risk profiles.
Ty Greenhalgh is the Industry Principal for Healthcare at Claroty Healthcare. He is also an ambassador with the HHS 405(d) Program and Task Group which was responsible for the recognized security practices referenced in the new HITECH amendment more commonly known as the Health Industry Cybersecurity Practices: Managing Threats and Protecting Patients.