The introduction of Industry 4.0 and its disruptive technology ecosystems in the healthcare experience in recent years has significantly changed medical practices. Particularly impacted have been:
The delivery of therapies and services
The manufacturing processes of medicines and medical devices
The exchange of healthcare records and information
The way medical and healthcare organizations operate and interact
The relationships between consumers, patients, and providers.
These changes have largely benefitted patients and the community, but the implementation of technologies also came with a price because as more healthcare players are increasingly integrating technology into their daily healthcare offerings, they are also introducing vulnerabilities.
In an effort to protect patients and organizations the Department of Health and Human Services created the 405(d) Program, following the Cybersecurity Act of 2015, with the purpose of developing best practices and methodologies to strengthen the healthcare and public health (HPH) sector's cybersecurity posture against threats. As part of this effort, a public-private collaborative task group was convened to develop a set of voluntary, practical, and cost-effective best practices to mitigate the most pertinent and current cybersecurity threats to the healthcare and public health (HPH) sector. The task group identified five threats to cybersecurity in the healthcare sector and offered 10 practices to mitigate the risk posed by the identified threats. The five identified threats are:
Email phishing attacks
Loss or theft of equipment or data
Internal, accidental, or intentional data loss
Attacks against connected medical devices that may affect patient safety
It is important to consider that as organizations operate in different regions and industries with different business and operational models and technologies, and deliver products and services using different channels, means and approaches, some attack vectors can be more effective against some organizations than others. We will highlight the three 405(d) best practices that offer small- to mid-size organizations the highest return on investment by reducing the risk posed by the five threats listed above.
Email phishing is one of the primary vectors of attack. Cyber boundaries can be difficult to penetrate, so attackers aim to gain a foothold on internal systems by fooling employees into downloading files, clicking on links, or providing seemingly innocuous information that can be used in a targeted attack. Offering cyber awareness training helps empower employees to identify phishing messages and avoid interacting with them. Details on these phishing techniques are provided below:
Even though organizations can be fined up to $1.5 million for failing to protect patient data, the Department of Health and Human Services calculates that the average new healthcare administrator, clinician or physician at a small healthcare company is granted instant access to nearly 5,500 files containing sensitive patient information. Instead, access should be granted to users on a need-to-know/access basis and following the principle of least-privilege. Implement these eight best practices to reduce the risk associated with ransomware attacks, insider data loss, and attacks against your company’s assets.
Establish a unique account for each user
Limit the use of shared or generic accounts
Tailor access to the need of each user
Terminate user access as soon as the user leaves the organization
Provide role-based access
Configure systems and endpoints with automatic lock and log-off
Implement Single Sign-On (SSO)
Implement Multi-Factor Authentication (MFA) for application and data access
Based on data from the Department of Health and Human Services, the average cost of a data breach in the healthcare sector in 2020 was $7.13 million. Protected endpoints provide a strong first line of defense against ransomware attacks, and loss or theft of data by reducing the surface of attack. The six best practices to protect your endpoints are:
Remove administrative access for standard users
Keep your endpoints patched
Implement antivirus/antimalware software
Turn on endpoint encryption
Enable MFA for device sign-on
The Department of Health and Human Services 405(d) Program recommendations, which are aligned with the “protect” category of the NIST Cyber Security Framework, prioritize high return-on-investment and quick wins by focusing on reducing the number of attack vectors available to potential attackers. By educating users, increasing the level of awareness across the organization, restricting access to sensitive resources following the principle of least privilege, and implementing endpoint protections, small- to mid-size healthcare organizations can effectively minimize their attack surface without distracting their attention from the development of a strong security program.
Juan Piacquadio is the CIO & VP, Information Technology at Phlow Corporation.
Tim Hall is the Director of Information Security at Phlow Corporation.