Three best practices from the 405(d) Healthcare Industry Cybersecurity Practices (HICP) can offer smaller and medium-sized healthcare organizations quick cybersecurity wins.
Healthcare

How to Deliver SMB Healthcare Cybersecurity

Juan Piacquadio
Tim Hall
/
Feb 22, 2023

The introduction of Industry 4.0 and its disruptive technology ecosystems in the healthcare experience in recent years has significantly changed medical practices. Particularly impacted have been:

  • The delivery of therapies and services

  • The manufacturing processes of medicines and medical devices

  • The exchange of healthcare records and information

  • The way medical and healthcare organizations operate and interact

  • The relationships between consumers, patients, and providers. 

These changes have largely benefitted patients and the community, but the implementation of technologies also came with a price because as more healthcare players are increasingly integrating technology into their daily healthcare offerings, they are also introducing vulnerabilities. 

In an effort to protect patients and organizations the Department of Health and Human Services created the 405(d) Program, following the Cybersecurity Act of 2015, with the purpose of developing best practices and methodologies to strengthen the healthcare and public health (HPH) sector's cybersecurity posture against threats. As part of this effort, a public-private collaborative task group was convened to develop a set of voluntary, practical, and cost-effective best practices to mitigate the most pertinent and current cybersecurity threats to the healthcare and public health (HPH) sector. The task group identified five threats to cybersecurity in the healthcare sector and offered 10 practices to mitigate the risk posed by the identified threats. The five identified threats are:

  1. Email phishing attacks

  2. Ransomware Attacks

  3. Loss or theft of equipment or data

  4. Internal, accidental, or intentional data loss

  5. Attacks against connected medical devices that may affect patient safety


It is important to consider that as organizations operate in different regions and industries with different business and operational models and technologies, and deliver products and services using different channels, means and approaches, some attack vectors can be more effective against some organizations than others. We will highlight the three 405(d) best practices that offer small- to mid-size organizations the highest return on investment by reducing the risk posed by the five threats listed above. 

Educate Your Users: Cyber Awareness Training

Email phishing is one of the primary vectors of attack. Cyber boundaries can be difficult to penetrate, so attackers aim to gain a foothold on internal systems by fooling employees into downloading files, clicking on links, or providing seemingly innocuous information that can be used in a targeted attack. Offering cyber awareness training helps empower employees to identify phishing messages and avoid interacting with them. Details on these phishing techniques are provided below:

Phishing Techniques from 405(d) Task Group

Manage Access

Even though organizations can be fined up to $1.5 million for failing to protect patient data, the Department of Health and Human Services calculates that the average new healthcare administrator, clinician or physician at a small healthcare company is granted instant access to nearly 5,500 files containing sensitive patient information. Instead, access should be granted to users on a need-to-know/access basis and following the principle of least-privilege. Implement these eight best practices to reduce the risk associated with ransomware attacks, insider data loss, and attacks against your company’s assets.  

  1. Establish a unique account for each user

  2. Limit the use of shared or generic accounts

  3. Tailor access to the need of each user

  4. Terminate user access as soon as the user leaves the organization

  5. Provide role-based access

  6. Configure systems and endpoints with automatic lock and log-off

  7. Implement Single Sign-On (SSO)

  8. Implement Multi-Factor Authentication (MFA) for application and data access

Protect your Endpoints 

Based on data from the Department of Health and Human Services, the average cost of a data breach in the healthcare sector in 2020 was $7.13 million. Protected endpoints provide a strong first line of defense against ransomware attacks, and loss or theft of data by reducing the surface of attack. The six best practices to protect your endpoints are:

  1. Remove administrative access for standard users

  2. Keep your endpoints patched

  3. Implement antivirus/antimalware software

  4. Turn on endpoint encryption

  5. Enable firewalls

  6. Enable MFA for device sign-on


The Department of Health and Human Services 405(d) Program recommendations, which are aligned with the “protect” category of the NIST Cyber Security Framework, prioritize high return-on-investment and quick wins by focusing on reducing the number of attack vectors available to potential attackers. By educating users, increasing the level of awareness across the organization, restricting access to sensitive resources following the principle of least privilege, and implementing endpoint protections, small- to mid-size healthcare organizations can effectively minimize their attack surface without distracting their attention from the development of a strong security program.

Juan Piacquadio
CIO & VP, Information Technology at Phlow Corporation.

Juan Piacquadio is the CIO & VP, Information Technology at Phlow Corporation.

Tim Hall
Director of Information Security at Phlow Corporation.

Tim Hall is the Director of Information Security at Phlow Corporation.

Stay in the know Get the Nexus Connect Newsletter
Latest on Nexus Podcast