Today, all institutions, from government down to small businesses, are targets of cybercrime. Healthcare institutions are no exception.
- In fact, small to medium healthcare institutions face greater threats from cybercrime because these organizations don’t have all of the necessary resources (people, processes, technology, and/or finances) to establish even basic protections. Healthcare institutions also maintain and process some of the most sensitive data – patient’s healthcare and financial information – the very same data cybercriminals desperately want.
- The passing of the Cybersecurity Act of 2015 was a means to address these concerns. Section 405(d) of that Act called for the U.S. Department of Health and Human Services (HHS) to establish a process with industry to address the numerous cybersecurity threats that healthcare organizations face. Accordingly, an industry-government group, known as the 405(d) Task Group, was formed under the Health Sector Coordinating Council (HSCC), which published in 2019 the 405(d) Health Industry Cybersecurity Practices: Managing Threats and Protecting Patients (HICP).
The Indiana Executive Council on Cybersecurity (IECC) Healthcare Committee, utilizing the expertise of healthcare cybersecurity and information security professionals, adapted the HICP for the needs of Indiana’s healthcare providers.
Updated with even more recommendations and best practices, Healthcare Cyber in a Box 2.1 provides organizations with three levels of expert guidance – basic, intermediate, and mature – involving 23 critical areas of cybersecurity – as a FREE to download resource for creating even more of the systems needed for keeping your operations secure while, at the same time, helping to protect your patients and preserving both their digital, as well as physical, well-being.
Public Law 116-321 also amends the HITECH Act and instructs the HHS Office For Civil Rights (OCR) to consider adoption of the 405(d) products when applying enforcement actions. This means that use of Healthcare Cyber in a Box 2.0 can help organizations mitigate potential penalties if a security event happens.
The IECC thanks the 405(d) Working Group, Health Sector Coordinating Council (HSCC), HHS, and the numerous provider, government, and industry volunteers who have made this a reality, and the contributions that have been made to expand even further these resources, are greatly appreciated.
WHAT YOU NEED TO KNOW TO GET STARTED
The purpose of Healthcare Cyber in a Box 2.1 is to provide additional direction and guidance around the topic of cybersecurity protections. The site follows cybersecurity leading practices and provides guidance for different levels of a business’ cybersecurity maturity that build off each other – Basic, Intermediate, and Mature. In other words, if an organization is operating at a mature level, they should also have basic and intermediate controls implemented.
This guidance also provides specific, actionable information on how a health care organization can address each area of concern, including: email protections, system access, asset management, laptop, and workstation protections, etc., and guidance on what specific threats each of these areas seeks to protect against. This is part of an ongoing initiative to help educate and support all Hoosiers and small- and medium-sized businesses. Threats evolve constantly, and cybersecurity guidance to protect against these threats need to be responsive as well.
Highlighted in the charts, there are (23) control categories for an organization to follow, along with the mitigating controls, in three distinct categories -- Basic, Intermediate and Mature. Provided, too, is an outline of the mitigated risks that an organization or healthcare provider could experience in the course of providing protection for its critical systems. A glossary of cybersecurity definitions is also included for your reference.
A strong cybersecurity strategy is the foundation for providing a good security posture against malicious attacks designed to access, alter, delete, destroy or extort an organization's systems and sensitive data.
Cybersecurity is also instrumental in preventing attacks that aim to disable or disrupt a system's or device's operations; a fact that is especially critical for healthcare organizations, whose commitment and dedication is vital in caring for its patients' well-being, medically, as well as protecting their medical records and their personal and financial information.
To get started, simply click on the level of cybersecurity guidance that offers the best fit with the needs and capabilities of your organization.
- Cyber Control Categories
The purpose of this information is intended to provide a level of direction and guidance -- defined as Basic, Intermediate and Mature -- around the topic of cybersecurity protections as defined by 23 control categories.
The following is a series of definitions for each of the categories:
Email Protection Systems -- Email protection is a set of activities that address the various aspects of managing the security for an organization’s email system. It is a culmination of processes, actions, or methodologies which an organization uses to protect business email. The goal is to create effective security processes, train users to securely handle email, and ensure bad actors can’t use email as a jumping off point for access into a company’s network.
Endpoint Protection Systems -- An endpoint for organizations are those computer devices directly utilized by a user. Normally this can be a workstation, a laptop, or some type of terminal device allowing a user to enter information into a computer system. This is also one of the first points of attack bad actors focus on in trying to gain access into a healthcare organization’s computer network.
Identity and Access Management -- is a framework of policies and technologies to ensure that the right users have the appropriate access to technology resources like systems and application that align with their job duties. The Identity and Access Management responsibilities include the oversight of all provisioning and deprovisioning of user accounts, Single-Sign On, two-factor authentication, privileged access management and any other activities through-out the lifecycle of the user account.
Data Protection and Loss Prevention -- is a set of solutions, strategies, technologies, and techniques that ensure end-users do not transmit sensitive data outside of an organization. This is done by tracking data movement as it moves through and out of the organization and by enforcing disclosure policies to prevent unauthorized disclosure of data. Software solutions can be implemented to prevent data loss, whether it is network, endpoint, or cloud.
IT Asset Management – is to assess how the organization manages IT assets throughout its lifecycle. It helps you know what hardware and software you have. Gives you the ability to track detailed information on the assets like software version and purchase date. This detail helps you make informed decisions as time goes along, like forecasting the life cycle of your hardware or allowing you to act faster in response to security alerts so you can know the location, what version of software you are running, and if the system is vulnerable. IT Asset Management also includes initial provisioning of assets, tracking and management, integration with enterprise processes, and decommissioning / disposal processes. The scope of management consists of a variety of technology assets provisioned and managed by IT (e.g., servers, workstations, mobile devices, end-user devices, IoT devices, etc.).
Network Management -- is the set of activities, procedures, processes, tools, and roles associated with protecting the organization’s network. The goal in any secure organization is to create a strong and secure network minimizing risk to the organization while also not significantly impeding operations.
Vulnerability Management -- is the practice of managing the exploitation of IT vulnerabilities and involves the identification and mitigation of known vulnerabilities as well as prioritization based on risk. Vulnerability management should also include preparing for unknown vulnerabilities as well as risk mitigations for threats and vulnerabilities associated with your organization.
Incident Response – is a set of activities that address the short-term, direct effects of an incident and may also support short-term recovery. In other words, this is a culmination of processes, actions, or methodologies which an organization uses to respond to any cyber event. The goal is to create an efficient and referenceable document or documents that is aimed at minimizing impact, maximizing recovery, and create a culture of preparedness.
Medical Device Security -- Per Section 201(h) of the Food, Drug, and Cosmetic Act, a medical device is defined as an instrument, apparatus, implement, machine, contrivance, implant, in vitro reagent, or other similar or related article, including a component part, or accessory which is: recognized in the official National Formulary, or the United States Pharmacopoeia, or any supplement to them, intended for use in the diagnosis of disease or other conditions, or in the cure, mitigation, treatment, or prevention of disease, in man or other animals, or intended to affect the structure or any function of the body of man or other animals, and which does not achieve its primary intended purposes through chemical action within or on the body of man or other animals and which does not achieve its primary intended purposes through chemical action within or on the body of man or other animals and which is not dependent upon being metabolized for the achievement of its primary intended purposes. The term "device" does not include software functions excluded pursuant to section 520(o). Medical devices serve a critical role in the treatment and prevention of disease and are constantly evolving to become more integrated and effective. Often that means that these devices become networked or accessible via WiFi protocols. These devices should be treated with just as much, or more, care than endpoints as they often have unique restrictions for updating software, implementation, or administration. Being aware of how to manage these devices securely relies on process, controls, and strong vendor relationships.
Cybersecurity Oversight and Governance -- are an important, and often overlooked, aspect of a well-rounded cyber security posture. Policies help define the measures you have in place to detect and minimize threats, management of critical processes, best practices regarding what employees should and should not do, and roles and responsibilities for members of the organization. As a healthcare organization, they are also a requirement to have as part of your HIPAA requirements. Below are some recommendations to get started, however, this is not a complete list of policies but instead a foundational list to get started.
Penetration Testing -- A method of testing where testers target individual binary components or the application as a whole to determine whether intra or intercomponent vulnerabilities can be exploited to compromise the application, its data, or its environment resources.
Social Engineering -- is the tactic of manipulating, influencing, or deceiving a victim in order to gain control over a computer system, or to steal personal and financial information. It uses psychological manipulation to trick users into making security mistakes or giving away sensitive information.
Risk Assessments -- Cybersecurity risk assessments assist healthcare providers and hospitals in understanding the cyber risks to their operations (e.g., mission, functions, critical service, image, reputation), organizational assets, and individuals.
Vendor Risk Assessments -- A vendor risk assessment (VRA), also known as a vendor risk review, is the process of identifying and evaluating potential risks or hazards associated with a vendor's operations and products and its potential impact on your organization.
Artificial Intelligence (AI) -- is the simulation of human intelligence processes by machines, especially computer systems. Specific applications of AI include expert systems, natural language processing, speech recognition and machine vision.
Cyber Insurance -- Cyber liability insurance is an insurance policy that provides businesses with a combination of coverage options to help protect the company from data breaches and other cyber security issues.
Business Impact Analysis -- A business impact analysis (BIA) predicts the consequences of a disruption to your business, and gathers information needed to develop recovery strategies.
Tracking Technologies -- are technologies used to collect information about users and their activities on a website. Examples of tracking technologies include cookies, web beacons, and embedded scripts.
Password Management/Password Storage -- Proactively implementing policies involving password management and the proper storage of passwords are effective solutions for helping to mitigate cybersecurity risks and protect sensitive and proprietary information.
Payroll Reset and Multifactor Device Change Callbacks -- By requiring all users to store contact numbers in a central system, it helps ensure team members' information is kept up to date. In doing so, it helps reduce the risk of account takeovers and provides additional security for users and their accounts.
Payroll and ACH Change Callbacks -- Developing a strong callback for payroll and ACH changes reminds employees to authenticate a request before sending funds. By training employees to recognize potential schemes and validate suspicious activity, such as new bank account numbers for a known vendor, it can help in stopping fraud.
Wire and Supply Chain Verifications -- Requires trusted contacts and callback numbers for all wire transfers and vendor information changes. It also allows for processes to be developed and implemented to regularly check for and update vendor information.
Endpoint Privilege Management and Temporary Admin Access -- enables the development of processes to allow service desk or power users to temporarily grant access to users to perform small administrative tasks. It can also help leverage device management software installation capabilities and/or utilize an endpoint management tool to grant some administrative access to users with business needs.
ADDITIONAL HEALTHCARE-RELATED RESOURCES:
- Healthcare & Public Health Sector Coordinating Councils -- The Operational Continuity Cyber Incident (OCCI) Checklist is intended to provide a flexible template for operational staff and executive management to respond to and recover from an extended enterprise outage due to a serious cyberattack.
- NEW! Healthcare Vendor Management Guidance
- Created as a free resource for use by Indiana's healthcare organizations, the Vendor Management Guidance provides six key approaches, as well as some helpful federal resources, for managing the risks that can occur when using third party vendors and suppliers. Created by members of the Indiana Executive Council on Cybersecurity's (IECC) Healthcare Commitee, the information shared in this newly released website page, is intended to help in making sure these risks are well understood and managed appropriately to ensure patient safety and information security.
- “Cybersecurity for the Clinician” Video Series
- Developed by the Health Sector Coordinating Council (HSCC), "Cybersecurity for the Clinician" is a FREE-to-download cybersecurity training video series that explains in easy, non-technical language the basics for how cyberattacks can affect clinical operations and patient safety, and how clinicians can do their part to help keep healthcare data, systems and patients safe from cyber threats without losing time away from patients.
- Clinicians, students, professionals, and institutions with training programs may download the series on YouTube or in eLearning format at: https://www.healthsectorcouncil.org/cyberclinicianvideos/. For a preview, go to: https://youtu.be/awIJ8kSP-Ak.
- Developed by the Health Sector Coordinating Council (HSCC), "Cybersecurity for the Clinician" is a FREE-to-download cybersecurity training video series that explains in easy, non-technical language the basics for how cyberattacks can affect clinical operations and patient safety, and how clinicians can do their part to help keep healthcare data, systems and patients safe from cyber threats without losing time away from patients.
- CISA Healthcare Cybersecurity Toolkit - To help improve cybersecurity within the HPH sector, the Cybersecurity and Infrastructure Security Agency (CISA), the Department of Health and Human Services (HHS), and Health Sector Coordinating Council (HSCC) Cybersecurity Working Group are working together have developed a FREE Toolkit to deliver tools, resources, training, and information that can help organizations within this sector. Together, CISA brings technical expertise as the nation’s cyber defense agency, HHS offers extensive expertise in healthcare and public health, and the HSCC Cybersecurity Working Group offers the practical expertise of industry experts working cybersecurity issues in HPH every day.
- Stay Safe from Cyber Threats - U.S. Small Business Administration
- Cybersecurity Guidance for Business - State of Indiana Cybersecurity Hub