Language Translation
  Close Menu

Section

Breadcrumbs

Healthcare Cyber in a Box - Level 1 Guidance

The purpose of this information is intended to provide a 'basic' level of direction and guidance around the topic of cybersecurity protections; as defined by 23 control categories, ranging from email protection systems and educating staff regarding its knowledge/familiarity with your organization's cybersecurity policies to understanding more about artificial intelligence and how to conduct a business impact analysis (BIA).

With the latest launch of the Healthcare Cyber in a Box 2.1, five new control categories have been added -- including everything from password management, password reset callbacks and payroll change callbacks to wire verifications and endpoint privilege management.

Within each category, the Healthcare Cyber in a Box includes a series of mitigating controls to help enable your organization to be more resilient, in the event of a cyber incident or cyberattack. Provided, too, is an outline of the mitigated risks that an organization or healthcare provider could experience in the course of providing protection for its critical systems.

Using this information is designed to provide your healthcare organization create a blueprint, from which you can create -- and build on -- your cybersecurity capabilities and, in doing so, protect your patients, staff and facilities that are vital to the people and communities your organization is dedicated to serving.

To get started, simply click on a link to review each of the (5) charts -- highlighting the recommended cybersecurity practices for each of the control categories.

  • Email Protection Systems

    What is an Email Protection System?

    Email protection is a set of activities that address the various aspects of managing the security for an organization’s email system.  It is a culmination of processes, actions, or methodologies which an organization uses to protect business email.  The goal is to create effective security processes, train users to securely handle email, and ensure bad actors can’t use email as a jumping off point for access into a company’s network.

    Recommended Steps:

    • Implement Email Scanning – For a basic level of protection with email, healthcare organizations are best off by not trying to run their own email system or do things on their own.  Several commercial companies will provide proper security protections including automatic scanning of incoming emails for either free or extremely inexpensive.  These companies routinely scan the email for possible threats like phishing, spam, and other potentially dangerous threats.
    • Develop End-User Training – A basic level of training for users would be things like when to click and not click on a link in an email, how to report threats and problems with email, and who to report these problems to.  Users are the front line for information security for any company and periodic user training helps strengthen that security.
    • Develop Acceptable Use Policy – A basic information security policy for all companies is to codify expectations for users when using the computer equipment and network while working.  Most companies provide a certain amount of personal use time on the company network and systems, recognizing that their users usually mix their personal and professional lives.
  • Endpoint Protection Systems

    What are Endpoint Protection Systems?

    An endpoint for organizations are those computer devices directly utilized by a user.  Normally this can be a workstation, a laptop, or some type of terminal device allowing a user to enter information into a computer system.  This is also one of the first points of attack bad actors focus on in trying to gain access into a healthcare organization’s computer network.

    Recommended Steps:

    • Implement Endpoint Detection and Response – This involves automated processes that monitor endpoints and protect the data from things like viruses, malware, and other threats.  The detection processes identify these threats, and the response processes can simply notify the user of IT group concerning the threat all the way to blocking the potentially compromised device from network access until the threat is removed.
    • Develop End-User Training – End user training for healthcare organizations involving endpoint protection involve training to recognize computer threats that may show up on their workstation, laptop, or other device, how to properly encrypt data on the device, and how to access that device effectively and securely.
    • Implement Endpoint Encryption – Encryption of data at the endpoint generally protects sensitive data that may be present on that endpoint if the device is lost or stolen.  This is usually referred to as “whole disk encryption” because the entire contents of the device’s hard drive are encrypted.  Unless the user properly entered their username and password, the data stays encrypted and will not allow a bad actor access to that data.
  • Identity and Access Management

    What is Identity and Access Management?

    It is a framework of policies and technologies to ensure that the right users have the appropriate access to technology resources like systems and application that align with their job duties. The Identity and Access Management responsibilities include the oversight of all provisioning and deprovisioning of user accounts, Single-Sign On, two-factor authentication, privileged access management and any other activities through-out the lifecycle of the user account.

    Recommended Steps:

    • Account provisioning, transfers, and de-provisioning – This is the process of creating, updating, and deleting user accounts in applications and systems. The access management can include user entitlements and group memberships.
    • Password protection – The implementation of enabling a password for a computer, network device, service, file, user account, or data. When password protection is enabled, users receive a prompt for a username or password before they’re given access.
    • End-user training – Create a training program for employees to set forth best practices and guidelines needed for secure access to applications and systems.
    • Multi-Factor authentication for Remote access – multi-factor authentication is secure access control that requires the user to provide multiple credentials unique to an individual to verify the user’s identity to gain access to an application, online account, or a VPN. MFA uses a combination of two or more of the following credentials:
      • Something the user knows – like a password, PIN, or the answer to a security question
      • Something the user has – a device, a smart card, a key fob, etc.
      • Something the user is – a voice, a fingerprint, or a retinal scan
  • Data Protection and Loss Prevention

    What is Data Protection and Loss Prevention?

    It is a set of solutions, strategies, technologies, and techniques that ensure end-users do not transmit sensitive data outside of an organization. This is done by tracking data movement as it moves through and out of the organization and by enforcing disclosure policies to prevent unauthorized disclosure of data. Software solutions can be implemented to prevent data loss, whether it is network, endpoint, or cloud.

    Recommended Steps:

    • Data use procedures – Typically, a policy documents guidelines for end-users to ensure that the organization’s data and information resources are managed and used properly.
    • Data Backup – The process of creating a copy of data to be used for recovery if the original data is lost or corrupted. Backups can be stored by utilizing a network storage solution, cloud storage, or an external hard drive.
    • End-user training – End-user training includes educating staff on the importance of data loss prevention from an unauthorized user that could negatively impact the organization. End-uses should be educated on how they can manually share outside of the organization in a secure manner like “Send Secure” in subject or icon inside of the email system.
    • Endpoint encryption – This is to protect sensitive data against unauthorized access. This is achieved by applying an encryption solution to a physical device. If the device happens to fall into the hands of an unauthorized user, the solution will prevent the user from accessing the data it contains.
  • IT Asset Management

    What is IT Asset Management?

    It's designed to assess how the organization manages IT assets throughout its lifecycle. It helps you know what hardware and software you have. Gives you the ability to track detailed information on the assets like software version and purchase date. This detail helps you make informed decisions as time goes along, like forecasting the life cycle of your hardware or allowing you to act faster in response to security alerts so you can know the location, what version of software you are running, and if the system is vulnerable. IT Asset Management also includes initial provisioning of assets, tracking and management, integration with enterprise processes, and decommissioning / disposal processes. The scope of management consists of a variety of technology assets provisioned and managed by IT (e.g., servers, workstations, mobile devices, end-user devices, IoT devices, etc.).

    Recommended Steps:

    • Establish device purchasing processes and criteria – standardize your purchasing to devices that meet your requirements. Giving you standards to allow you to make sure each device meets your organization’s needs.
    • Develop Asset Management Program – An asset is a person, structure, facility, information, and records, information technology systems and resources, material, process, relationships, or reputation that has value.  Relative to information technology or cyber security, this means that managing assets such as laptops, desktops, servers, network hardware, software, and even users is done in a methodical way.  There are many ways to accomplish this, including off the shelf software, that can help manage the process.  This is critical to properly assess, investigate, and remediate risk.
  • Network Management

    What is Network Management?

    It is the set of activities, procedures, processes, tools, and roles associated with protecting the organization’s network.  The goal in any secure organization is to create a strong and secure network minimizing risk to the organization while also not significantly impeding operations.

    Recommended Steps:

    • Implement Physical Security of Network Devices – A basic premise of network security is to physically protect the device from inappropriate access.  This includes the storage of active and non-active devices within a secure environment, behind and lock and key or security badge.  This also includes the use of surveillance equipment and, when matured, includes testing which is often done as part of a tabletop exercise or disaster recovery effort.
    • Implement Basic Perimeter Security – Basic network security includes the use of secured routers, firewalls and the locking down of non-used segments of your network including ports.  These settings are generally managed by a networking professional as changes here may prevent outbound communications.
    • Use Managed Service Provider for Network Management and Best Practices – Network management is a specialized skill set.  Engaging a third party or hiring internal specialists is necessary to maintain a secure environment while adhering to evolving best practices.
  • Vulnerability Management

    What is Vulnerability Management?

    It is the practice of managing the exploitation of IT vulnerabilities and involves the identification and mitigation of known vulnerabilities as well as prioritization based on risk.  Vulnerability management should also include preparing for unknown vulnerabilities as well as risk mitigations for threats and vulnerabilities associated with your organization.

    Recommended Steps:

    • Develop Asset Management Program – An asset is a person, structure, facility, information, and records, information technology systems and resources, material, process, relationships, or reputation that has value.  Relative to information technology or cyber security, this means that managing assets such as laptops, desktops, servers, network hardware, software, and even users is done in a methodical way.  There are many ways to accomplish this, including off the shelf software, that can help manage the process.  This is critical to properly assess, investigate, and remediate risk.
    • Conduct System Scanning, Remediation, and Patching – Servers, laptops, and desktops all run on operating systems such as Microsoft Windows or Windows Server, Linux, or Unix. These operating systems have vulnerabilities, of varying levels of severity, as well as corresponding patches. Applying these patches to endpoints is a vital part of vulnerability management as many of these vulnerabilities contain significant exploits that can be used to gain access to systems or data throughout your environment.  Also of note, hardware such as routers and switches also have vulnerabilities and should be monitored through vendor sites or the national vulnerability database (https://nvd.nist.gov/)
    • Establish Vulnerability Management Program – A vulnerability management program is a document, risk-based, process designed to identify, prioritize, and remediate risks.  These risks can include known risks (like those found during system scanning), risks to the organization due to controls not already in place, or risks associated with the current implementation of hardware, software, or policies. Understanding these risks, gathering a team to investigate, and creating a plan to mitigate or remove that risk falls to the vulnerability management program.
  • Incident Response

    What is Incident Response?

    It is a set of activities that address the short-term, direct effects of an incident and may also support short-term recovery.  In other words, this is a culmination of processes, actions, or methodologies which an organization uses to respond to any cyber event.  The goal is to create an efficient and referenceable document or documents that is aimed at minimizing impact, maximizing recovery, and create a culture of preparedness.

    Recommended Steps:

    • Establish Threat/Risk Assessment Program – A foundational step in incident response is to create a set of procedures around determining what threats, vulnerabilities, and risks exist within your organization.  If you have endpoints (laptops or tablets), servers, medical devices, a network, or operational systems (productivity software, email, EHR) then you must start with determining what threats and vulnerabilities each of those systems contain followed by a determination of level of risk. There are several methodologies, templates, and frameworks out there.  The key is to find one that is repeatable and thorough.
    • Develop an Incident Response Plan – An incident response is a set of predetermined and documented procedures to detect and respond to a cyber incident.  This document commonly contains information regarding who responds to an incident, notification plans to key parties (insurance, law enforcement etc..), mitigation and remediation processes, and breach responses.  As with a threat management program, there are several ways to do it but find one that can be updated easily and quickly referenced.
    • Implement Endpoint Detection and Response (EDR) - Endpoint detection and response technology is used to protect endpoints from threat and is an updated term to reflect advancements in traditional anti-virus/malware tools. Every EDR platform has a unique set of capabilities but often include active monitoring of endpoints, responding to real time threats, and act using a central management system to deploy settings and application policies.  A common example of this might include the detection of a trojan virus being detected on a device and an EDR application triggering a policy to either remove that virus or isolate the device from the network and/or internet.
    • Implement End-user training – This is probably one of the easier understood topics, however, it is critical to execute well.  People are the number one cyber security vulnerability in any organization.  This is not due to any character flaw or malicious intent, but instead is a result of employees being the primary target of attackers to gain access to systems. Training employees on how to properly use systems, secure passwords, use email, and make good choices is likely that biggest single control you can put in place for incident response.  For that exact reason it is a requirement under the HIPAA Privacy Rule (45 CFR §164.530) and an administrative safeguard of the HIPAA Security Rule (45 CFR §164.308).
  • Medical Device Security

    What is Medical Device Security?

    Per Section 201(h) of the Food, Drug, and Cosmetic Act, a medical device is defined as an instrument, apparatus, implement, machine, contrivance, implant, in vitro reagent, or other similar or related article, including a component part, or accessory which is:  recognized in the official National Formulary, or the United States Pharmacopoeia, or any supplement to them, intended for use in the diagnosis of disease or other conditions, or in the cure, mitigation, treatment, or prevention of disease, in man or other animals, or intended to affect the structure or any function of the body of man or other animals, and which does not achieve its primary intended purposes through chemical action within or on the body of man or other animals and which does not achieve its primary intended purposes through chemical action within or on the body of man or other animals and which is not dependent upon being metabolized for the achievement of its primary intended purposes. The term "device" does not include software functions excluded pursuant to section 520(o).  Medical devices serve a critical role in the treatment and prevention of disease and are constantly evolving to become more integrated and effective. Often that means that these devices become networked or accessible via WiFi protocols.  These devices should be treated with just as much, or more, care than endpoints as they often have unique restrictions for updating software, implementation, or administration.  Being aware of how to manage these devices securely relies on process, controls, and strong vendor relationships.

    Recommended Steps:

    • Establish Device Purchasing Processes and Criteria – Defining what criteria need to be met to purchase a medical device is an important step in keeping these assets secure.  Many different technical options and constraints exist when selecting the right device.  Having a preset list of requirements will help focus conversations and minimize time in both purchasing and possibly re-purchasing if the organization finds out later those requirements were not sufficiently met.
    • Establish Device Implementation Plan – For all devices purchased require an implementation plan from the vendor and retain that plan with other critical device documentation such as contract language and contacts for issue escalation. Ease of use, ease of maintenance, and implementation time are all critical, however, do not forget to make sure that security considerations are also met.
    • Integrate Medical Devices Into Asset Management Program– An asset is a person, structure, facility, information, and records, information technology systems and resources, material, process, relationships, or reputation that has value. For this purpose, a medical device is most certainly an asset, and such be managed similar to other information technology or medical technology asset’s within the organization. Integrating these devices into a formal asset management program can not only give information on current deployment and use of the asset, but critical information such as owner, maintenance schedule, past issues with the device, service contract information, and important dates such as purchase date and end of life date.
  • Cybersecurity Oversight and Guidance

    What are Cyber Security Policies?

    These policies are an important, and often overlooked, aspect of a well-rounded cyber security posture.  Policies help define the measures you have in place to detect and minimize threats, management of critical processes, best practices regarding what employees should and should not do, and roles and responsibilities for members of the organization.  As a healthcare organization, they are also a requirement to have as part of your HIPAA requirements.  Below are some recommendations to get started, however, this is not a complete list of policies but instead a foundational list to get started.

    Recommended Steps:

    • Email Security Policy - Defines the requirements for proper use of the company email system and make users aware of what is considered acceptable and unacceptable use of its email system. *defined by Sans Institute
    • Social Engineering Awareness Policy - Defines guidelines to provide awareness around the threat of social engineering and defines procedures when dealing with social engineering threats. Relevant content was added to the Acceptable Use Policy. *defined by Sans Institute
    • Password Protection Policy - Defines the standard for the creation of strong passwords, the protection of those passwords, and the frequency of change. *defined by Sans Institute
    • Data Breach Response - Defines the goals and the vision for the breach response process. This policy defines to whom it applies and under what circumstances, and it will include the definition of a breach, staff roles and responsibilities, standards, and metrics (e.g., to enable prioritization of the incidents), as well as reporting, remediation, and feedback mechanisms. *Defined by Sans Institute
    • Technology Disposal Policy - Defines the requirements for proper disposal of electronic equipment, including hard drives, USB drives, CD-ROMs, and other storage media which may contain various kinds of company data, some of which may be considered sensitive.  *defined by Sans Institute
    • Anti-Virus/Anti Malware policy - Defines guidelines for effectively reducing the threat of computer viruses on the organization's network.  *defined by Sans Institute
    • Vulnerability Management Policy – This document outlines the processes, tools, and roles responsible for analyzing, documenting, and remediating risk throughout the organization.
    • Incident Response Plan – An IRP is a document organizing steps to help staff detect, respond to, and recover from a security incident.  This often includes communication plans as well as roles and responsibilities.
    • Acceptable Use - Defines acceptable use of equipment and computing services, and the appropriate employee security measures to protect the organization's corporate resources and proprietary information.  *Defined by Sans Institute
    • Staff Education – Make sure all employees are aware of policies, know how to reference them, and know where to direct questions.
  • Penetration Testing

    What is Penetration Testing?

    A method of testing where testers target individual binary components or the application as a whole to determine whether intra or intercomponent vulnerabilities can be exploited to compromise the application, its data, or its environment resources.

    Recommended Steps:

    • Bring in a company or consultants once a year to conduct a test of the organization’s Internet-facing presence and Application Programming Interfaces (APIs)
    • Address discovered open items based on risk - with the highest ones addressed first.
  • Social Engineering Education

    What is Social Engineering?

    Social engineering is the tactic of manipulating, influencing, or deceiving a victim in order to gain control over a computer system, or to steal personal and financial information. It uses psychological manipulation to trick users into making security mistakes or giving away sensitive information.

    Recommended Steps:

    • Develop or purchase training on Social Engineering, Facility Security, Workstation Security, and Security Policy Training.
    • Leverage "Cybersecurity for the Clinician" video series - for clinical staff members.
  • Risk Assessments

    What are Risk Assessments?

    Cybersecurity risk assessments assist healthcare providers and hospitals in understanding the cyber risks to their operations (e.g., mission, functions, critical service, image, reputation), organizational assets, and individuals.

    Recommended Steps:

    • Leverage HHS Guidance on Risk Analysis and the HIPAA Security Risk Assessment (SRA) Tool to conduct an annual risk assessment.
    • Document open risks.
    • Address open risks based on criticality.
  • Vendor Risk Assessments

    What are Vendor Risk Assessments?

    A vendor risk assessment (VRA), also known as a vendor risk review, is the process of identifying and evaluating potential risks or hazards associated with a vendor's operations and products and its potential impact on your organization.

    Recommended Steps:

    • Establish Purchasing Processes/Criteria
    • Establish policy requiring evaluations of purchased products/services involving Information Technology (IT)
    • Require a Business Associate Agreement (BAA) for vendors processing PHI/PII
  • Artificial Intelligence (AI)

    What is Artificial Intelligence (AI)?

    Artificial intelligence is the simulation of human intelligence processes by machines, especially computer systems. Specific applications of AI include expert systemsnatural language processing, speech recognition and machine vision.

    Recommended Steps:

    • Inventory Artificial Intelligence (AI) and Machine Learning (ML) systems in use.
    • Inventory data elements sent/received from these systems.
  • Cyber Insurance

    What is Cyber Insurance?

    Cyber liability insurance is an insurance policy that provides businesses with a combination of coverage options to help protect the company from data breaches and other cyber security issues.

    Recommended Steps:

    • Speak with your insurance carrier about requirements for cyber liability insurance.
    • Ensure coverage for data breaches, cyberattacks, attacks on third parties, Nation State attacks/cyber warfare, ransomware, insider attacks, and terrorist attacks.
    • Enable two-factor authentication for all remote, cloud, and email access; this is a minimum requirement.
  • Business Impact Analysis (BIA)

    What is Business Impact Analysis (BIA)?

    A business impact analysis (BIA) predicts the consequences of a disruption to your business, and gathers information needed to develop recovery strategies.

    Recommended Steps:

  • Tracking Technologies

    What are Tracking Technologies?

    Tracking technologies are technologies used to collect information about users and their activities on a website. Examples of tracking technologies include cookies, web beacons, and embedded scripts.

    Recommended Steps:

    • Leverage a tool like PageXRay -- https://pagexray.fouanalytics.com -- to inventory the tracking technology in use at your organization.
    • Ensure that tracking technologies are not being used on patient portals or any pages that could convey personal or health-related data.
  • Password Management and Storage

    What is Password Management and Storage?

    Proactively implementing policies involving password management and the proper storage of passwords are effective solutions for helping to mitigate cybersecurity risks and protect sensitive and proprietary information.

    Recommended Steps:

    • Provide a password management tool so that users can store passwords to multiple websites securely.
    • Do not use the password managers that come with web browsers.
    • Provide 2FA access, if possible.
  • Password Reset and Multifactor Device Callbacks

    What is Password Reset and Multiple Device Callbacks?

    By requiring all users to store contact numbers in a central system, it helps ensure team members' information is kept up to date. In doing so, it helps reduce the risk of account takeovers and provides additional security for users and their accounts.

    Recommended Steps:

    • Require all users to store contact numbers in a central system.
    • Call users back on their contact numbers if they ask for a password change or 2FA reset along with challenge questions.
  • Payroll and ACH Change Callbacks

    What is Payroll and ACH Change Callbacks?

    Developing a strong callback for payroll and ACH changes reminds employees to authenticate a request before sending funds. By training employees to recognize potential schemes and validate suspicious activity, such as new bank account numbers for a known vendor, it can help in stopping fraud.

    Recommended Steps:

    • Leverage either contact number callbacks or two-factor authentication for all non-interactive payroll changes, including bank accounts.
    • Call back and verify using a trusted number all vendors who change their ACH accounts.
  • Wire and Supply Chain Verifications

    What is Wire and Supply Chain Verifications?

    Requires trusted contacts and callback numbers for all wire transfers and vendor information changes. It also allows for processes to be developed and implemented to regularly check for and update vendor information.

    Recommended Steps:

    • Require trusted contacts and callback numbers for all wire transfers and vendor information changes.
  • Endpoint Privilege Management and Temporary Admin Access

    What is Endpoint Management and Temporary Admin Access

    This process enables the development of processes to allow service desk or power users to temporarily grant access to users to perform small administrative tasks. It can also help leverage device management software installation capabilities and/or utilize an endpoint management tool to grant some administrative access to users with business needs.

    Recommended Steps:

    • Develop processes so Service Desk or Power Users can temporarily grant access to users to perform small administrative tasks.
    • Leverage device management software installation capabilities to reduce needs for software installation