The purpose of this information is intended to provide an 'intermediate' level of direction and guidance around the topic of cybersecurity protections; as defined by 23 control categories, ranging from email protection systems and educating staff regarding its knowledge/familiarity with your organization's cybersecurity policies to understanding more about artificial intelligence and how to conduct a business impact analysis (BIA).
With the latest launch of the Healthcare Cyber in a Box 2.1, five new control categories have been added -- including everything from password management, password reset callbacks and payroll change callbacks to wire verifications and endpoint privilege management.
Within each category, the Healthcare Cyber in a Box includes a series of mitigating controls to help enable your organization to be more resilient, in the event of a cyber incident or cyberattack. Provided, too, is an outline of the mitigated risks that an organization or healthcare provider could experience in the course of providing protection for its critical systems.
Using this information is designed to provide your healthcare organization create a blueprint, from which you can create -- and build on -- your cybersecurity capabilities and, in doing so, protect your patients, staff and facilities that are vital to the people and communities your organization is dedicated to serving.
To get started, simply click on a link to review each of the (5) charts -- highlighting the recommended cybersecurity practices for each of the control categories.
- Email Protection Systems
What is an Email Protection System?
Email protection is a set of activities that address the various aspects of managing the security for an organization’s email system. It is a culmination of processes, actions, or methodologies which an organization uses to protect business email. The goal is to create effective security processes, train users to securely handle email, and ensure bad actors can’t use email as a jumping off point for access into a company’s network.
Recommended Steps:
- Implement Multifactor Authentication – Multifactor Authentication is probably the single most way to protect a company’s access into their network. Multifactor authentication is when a user must provide two or more pieces of evidence to verify their identity to gain access to an application or digital resource. This is not a password; this authentication usually comes after the password has been entered and can be provided by an application on the user’s cell phone, a code sent to the user via email, text, or phone, or other method to verify the user wishing to gain access is the correct user.
- Implement Email Encryption – Email encryption protects outbound email from a healthcare organization in the event sensitive data might be included in the email. Per the HIPAA Security Rule, encryption is recommended to protect this sensitive data. Depending on applicable state and federal laws, encryption may keep an organization from enduring an investigation in the event a possible data compromise occurred in the organization.
- Implement DMARC Email Security for Vendors (https://www.dmarc.org)
- Endpoint Protection Systems
What is an Endpoint Protection System?
An endpoint for organizations are those computer devices directly utilized by a user. Normally this can be a workstation, a laptop, or some type of terminal device allowing a user to enter information into a computer system. This is also one of the first points of attack bad actors focus on in trying to gain access into a healthcare organization’s computer network.
Recommended Steps:
- Establish Centralized Alerting and Management Systems – Many mid to enterprise level endpoint protection systems come with a centralized console for review of all assets being protected. This system creates a strong administration platform to not only manage the product but also a central location for reporting and alerting. For example, a small organization currently uses standalone anti-virus on all endpoints but wants to create a centralized management environment. This new system has been configured to allow the administrator to deploy updates automatically, create policies to quarantine suspicious files, and even isolate a device while alerting an administrator if it encounters a suspicious finding.
- Enable Endpoint Firewalls – Endpoint firewalls are a level of protection similar to network firewalls but are used to protect the individual endpoint. These firewalls work similar to a network firewall; they block certain sites and systems from accessing the endpoint, they protect the endpoint from malicious files and other attacks. This can be managed remotely by the healthcare organization’s IT function and configured so all endpoints are set up in a similar way making management easier.
- Identity and Access Management
What is Identity and Access Management?
It is a framework of policies and technologies to ensure that the right users have the appropriate access to technology resources like systems and application that align with their job duties. The Identity and Access Management responsibilities include the oversight of all provisioning and deprovisioning of user accounts, Single-Sign On, two-factor authentication, privileged access management and any other activities through-out the lifecycle of the user account.
Recommended Steps:
- Single-Sign-On – Is an authentication method that enables users to securely authenticate to a network or multiple applications and websites by utilizing just one set of credentials.
- Privileged Account Management (using MFA) – Privileged accounts typically have elevated administrative level access, allowing users to make configuration changes to services and devices. Privileged Access Management manages the life cycle of those privileged accounts through logs of what the accounts did and when and by who.
- Data Protection and Loss Prevention
What is Data Protection and Loss Prevention?
It is a set of solutions, strategies, technologies, and techniques that ensure end-users do not transmit sensitive data outside of an organization. This is done by tracking data movement as it moves through and out of the organization and by enforcing disclosure policies to prevent unauthorized disclosure of data. Software solutions can be implemented to prevent data loss, whether it is network, endpoint, or cloud.
Recommended Steps:
- Document Data flow – the concept of mapping out the flow diagram to show data movement as the data passes from one program or system to the next much like a typical workflow diagram. The data flow diagram allows pinpointing where data was in the case of a security compromise or breach.
- Implement Data classification – Data classification is the process of organizing structured (in an organized database) or unstructured data (data not within an actively managed system like a database) into categories based on file type, content, or other metadata.
- Create an Information Security Policy – Sets rules and processes for end-users, creating a standard around the acceptable use of the organization’s information technology, networks, and applications to protect the confidentiality, integrity, and availability. This includes whether the data is at rest, in motion, or in use.
- Establish EMR/EHR Data Security – EHR security is limiting access to protected health information (PHI) to only authorized users by utilizing “access controls” like passwords, MFA, and role-based provisioning to access the EHR and then utilizing the concept of separation of duties to prevent theft, misuse, and other security compromises within the EHR.
- IT Asset Management
What is IT Asset Management?
It is to assess how the organization manages IT assets throughout its lifecycle. It helps you know what hardware and software you have. Gives you the ability to track detailed information on the assets like software version and purchase date. This detail helps you make informed decisions as time goes along, like forecasting the life cycle of your hardware or allowing you to act faster in response to security alerts so you can know the location, what version of software you are running, and if the system is vulnerable. IT Asset Management also includes initial provisioning of assets, tracking and management, integration with enterprise processes, and decommissioning / disposal processes. The scope of management consists of a variety of technology assets provisioned and managed by IT (e.g., servers, workstations, mobile devices, end-user devices, IoT devices, etc.).
Recommended Steps:
- Secure Asset Storage – Organizations should ensure the physical protection of technology hardware, whether on which the data is stored. This can be accomplished through documented procedures and processes to ensure devices cannot be accessed or removed with authorization.
- Inventory system for hardware and software – Benefits of an inventory system vs. just using excel. Allowing for real-time asset gathering and tracking improves the accuracy and reduces the amount of work of collecting the details.
- Integration into Vulnerability Management – This is a continual practice of identifying, classifying, prioritizing, remediating, and mitigating known vulnerabilities to prevent unauthorized access to a system, application, or service by utilizing the security gap. In most cases, vendors will issue a vulnerability “patch” to eliminate the security gap.
- Network Management
What is Network Management?
It is the set of activities, procedures, processes, tools, and roles associated with protecting the organization’s network. The goal in any secure organization is to create a strong and secure network minimizing risk to the organization while also not significantly impeding operations.
Recommended Steps:
- Network Segmentation – Network segmentation is the practice of splitting a computer network into subnetworks. This is done to minimize the risk associated with devices on one network speaking to another. For example, an organization may wish to limit guest internet from being on the same network as the EHR system or medical devices. Network segmentation can be used to create isolated networks where guest internet, the EHR system, and medical devices would not interact with each and thus minimize risk.
- Web Proxy Protection – Setting up a web proxy server will create a barrier between an outside entity requesting information from an organizational system and the system itself. This separation protects the internal systems from direct access and can also layer on other security benefits such as encryption, virus/malware scanning, and masking of internal IP addresses.
- Advanced Perimeter Security Implementation – Building on the basic perimeter security, more advanced tools and features can be implemented to provide stronger security. These include Intrusion Detection Systems (IDS), Intrusion Prevention Systems (IPS), Geoblocking, and VPN use for external network access.
- Network Access Management – Implementation of a logging program such as a SIEM (Security Information and Event Management) or MDR (Managed Detection and response) solution to track logging for access to sensitive hardware, systems, or services. These products offer advanced solutions for detection, correlation, and reporting of suspicious or anomalous activity.
- Vulnerability Management
What is Vulnerability Management?
It is the practice of managing the exploitation of IT vulnerabilities and involves the identification and mitigation of known vulnerabilities as well as prioritization based on risk. Vulnerability management should also include preparing for unknown vulnerabilities as well as risk mitigations for threats and vulnerabilities associated with your organization.
Recommended Steps:
- Configuration Management – A documented process for system configuration and implementation. This can take the form of general configuration guidelines or, in more mature organizations, configuration management guidelines per system or class of systems. An example of configuration management can be a design document stating how all endpoints should be deployed or as broad as how an organization manages configuration processes across its environment.
- Change Management – Similar to configuration management, change management looks at how the organization manages system changes and seeks to reduce risk associated with making changes within the environment (software or hardware). A formal process to document, review, and approve changes prior to implementation is essential. A policy to help reinforce this process is also strongly encouraged.
- Implement Data Classification – Data classification is the process of organizing data into broad categories to more easily locate and protect sensitive data. This puts power into the organization’s hands as to understanding what data is out there and what risks might be attached to it. For example, classifying patient data as PHI to be used as a means of categorizing that data. Further down the road, action can be taken against that data to prevent it from being inadvertently emailed or improperly secured.
- Extended Detection and Response (XDR) - XDR is defined by Gartner as a SaaS-based, vendor-specific, security threat detection and incident response tool that natively integrates multiple security products into a cohesive security operations system that unifies all licensed components. This means that instead of specifically looking at endpoints as EDR does, this suite of applications looks at holistically protecting multiple points (network, endpoint, servers, and cloud applications) by correlating data and giving visibility into the entire computing space. This can lead to more sensitive and faster detections as well as prioritization of high-risk threats.
- Incident Response
What is Incident Response?
It is a set of activities that address the short-term, direct effects of an incident and may also support short-term recovery. In other words, this is a culmination of processes, actions, or methodologies which an organization uses to respond to any cyber event. The goal is to create an efficient and referenceable document or documents that is aimed at minimizing impact, maximizing recovery, and create a culture of preparedness.
Recommended Steps:
- Data Flow Documentation – Data rarely sits in one system alone, but often interacts or flows throughout systems in the organization. This process is all about knowing where your sensitive data is and how it moves through your environment. For example, you likely have an EHR system, and that system may have other secondary systems tied to it which process data or offload certain record types for analysis. In this case, knowing that these other systems contain sensitive data informs your level of risk for those applications and your data.
- Incident Response Playbook Creation – A playbook is a predefined guide or process which is enacted during an incident. The guide walks the reader through a set of steps to resolve a specific incident type (e.g. a phishing playbook). Typical playbooks include phishing, ransomware, account compromise, malware/virus outbreak, data theft, denial of service attack, and unauthorized access. By documenting the process for identifying, investigating, and remediating these events you can both practice and be prepared for them.
- Extended Detection and Response (XDR) Implementation - XDR is defined by Gartner as a SaaS-based, vendor-specific, security threat detection and incident response tool that natively integrates multiple security products into a cohesive security operations system that unifies all licensed components. This means that instead of specifically looking at endpoints as EDR does, this suite of applications looks at holistically protecting multiple points (network, endpoint, servers, and cloud applications) by correlating data and giving visibility into the entire computing space. This can lead to more sensitive and faster detections as well as prioritization of high-risk threats.
- Medical Device Security
What is Medical Device Security?
Per Section 201(h) of the Food, Drug, and Cosmetic Act, a medical device is defined as an instrument, apparatus, implement, machine, contrivance, implant, in vitro reagent, or other similar or related article, including a component part, or accessory which is: recognized in the official National Formulary, or the United States Pharmacopoeia, or any supplement to them, intended for use in the diagnosis of disease or other conditions, or in the cure, mitigation, treatment, or prevention of disease, in man or other animals, or intended to affect the structure or any function of the body of man or other animals, and which does not achieve its primary intended purposes through chemical action within or on the body of man or other animals and which does not achieve its primary intended purposes through chemical action within or on the body of man or other animals and which is not dependent upon being metabolized for the achievement of its primary intended purposes. The term "device" does not include software functions excluded pursuant to section 520(o). Medical devices serve a critical role in the treatment and prevention of disease and are constantly evolving to become more integrated and effective. Often that means that these devices become networked or accessible via WiFi protocols. These devices should be treated with just as much, or more, care than endpoints as they often have unique restrictions for updating software, implementation, or administration. Being aware of how to manage these devices securely relies on process, controls, and strong vendor relationships.
Recommended Steps:
- Access Management – Access management is vital for medical devices as they provide lifesaving treatments and often contain very sensitive information. Access to these devices for administration, maintenance, and or disposal should be tightly managed, standardized, and documented.
- Medical Device Vulnerability Management Integration – As with integration into access management, integrating these devices into a formal vulnerability management program is an important step to understanding risk and, ultimately, mitigating risk associated with medical devices. What networking requirements exist, how are the devices updated, how are they scanned for viruses, how are they protected from inappropriate access or command and control? These are all questions that can be answered as part of a vulnerability management program.
- Network Segmentation Usage – Network segmentation is the act or practice of splitting a computer network into subnetworks. In this case, medical devices would go on their own private networks making it impossible for devices on that network to have full access to other critical systems within the organization. In many cases, network segmentation can be done so that classes of devices can have their own network. For example, a units of device X can be on network 1, while all units of device type y can be on network 2 and neither talk to each other or the main network.
- Implement HSCC's Model Contract Language for Medtech Cybersecurity – (https://healthsectorcouncil.org/model-contract-language-for-medtech-cybersecurity-mc2/)
- Cybersecurity Oversight and Guidance
What are Cyber Security Policies?
Cyber Security Policies are an important, and often overlooked, aspect of a well-rounded cyber security posture. Policies help define the measures you have in place to detect and minimize threats, management of critical processes, best practices regarding what employees should and should not do, and roles and responsibilities for members of the organization. As a healthcare organization, they are also a requirement to have as part of your HIPAA requirements. Below are some recommendations to get started, however, this is not a complete list of policies but instead a foundational list to get started.
Recommended Steps:
- Information Security Policy – A set of policies and standards used by the organization to protect Information Technology assets as well as summarizes information from other critical processes such as vulnerability management, incident response, disaster recovery, and data breach response. This document often includes components such as; Disaster Recovery, Compliance, Asset Management, Risks/Threats/Vulnerabilities, and Security processes and policies. There is no one standard but several templates exist.
- Change Management Policy – Policy documenting how the organization manages system changes and seeks to reduce risk associated with making changes within the environment (software or hardware).
- Remote Access Policy - Defines standards for connecting to the organization's network from any host or network external to the organization. *defined by Sans Institute
- Policy Management Program – This is the act of formalizing the process by with policies are created, approved, and revised. This is often done with a small committee to oversee the process with policies being updated either on a specific frequency or as needed resulting from an environmental change or change in organizational risk or risk appetite. Often this process is also facilitated by the use of software purpose built to manage policies.
- Disaster Recovery Policy Implementation - Defines the requirement for a baseline disaster recovery plan to be developed and implemented by the company, which describes the process to recover IT Systems, Applications and Data from any type of disaster that causes a major outage. *defined by Sans Institute
- Penetration Testing
What is Penetration Testing?
A method of testing where testers target individual binary components or the application as a whole to determine whether intra or intercomponent vulnerabilities can be exploited to compromise the application, its data, or its environment resources.
Recommended Steps:
- Bring in a company or consultants once a year to conduct a test of the organization’s Internet-facing presence and Application Programming Interfaces (APIs)
- Address discovered open items based on risk criticality
- Social Engineering Education
What is Social Engineering?
Social engineering is the tactic of manipulating, influencing, or deceiving a victim in order to gain control over a computer system, or to steal personal and financial information. It uses psychological manipulation to trick users into making security mistakes or giving away sensitive information.
Recommended Steps:
- Conduct Phishing Exercises consisting of sending fake phishing emails to staff members.
- Conduct Scheduled Physical Security Walkthroughs and Audits of Facilities.
- Risk Assessments
What are Risk Assessments?
Cybersecurity risk assessments assist healthcare providers and hospitals in understanding the cyber risks to their operations (e.g., mission, functions, critical service, image, reputation), organizational assets, and individuals.
Recommended Steps:
- Bring in a company or consultant to conduct an annual HIPAA Security Risk Assessment with departments outside IT.
- Document open risks.
- Address open risks based on criticality.
- Vendor Risk Assessments
What are Vendor Risk Assessments?
A vendor risk assessment (VRA), also known as a vendor risk review, is the process of identifying and evaluating potential risks or hazards associated with a vendor's operations and products and its potential impact on your organization.
Recommended Steps:
- Leverage a third-party firm to conduct a security risk analysis of vendors.
- Incorporate security standards into contracts and agreements.
- Artificial Intelligence
What is Artificial Intelligence (AI)?
Artificial intelligence is the simulation of human intelligence processes by machines, especially computer systems. Specific applications of AI include expert systems, natural language processing, speech recognition and machine vision.
Recommended Steps:
- Inventory Artificial Intelligence (AI) and Machine Learning policy that sets minimum standards for transparency, safety, ethics, privacy, security, and equity.
- Conduct an organizational Artificial Intelligence (AI) and Machine Learning Risk Assessment using the NIST AI Risk Management Framework (Draft)
- Cyber Insurance
What is Cyber Insurance?
Cyber liability insurance is an insurance policy that provides businesses with a combination of coverage options to help protect the company from data breaches and other cyber security issues.
Recommended Steps:
- Conduct risk assessments with insurance carrier.
- Develop plan to address findings.
- Implement plan to address findings.
- Identify preferred incident response vendor.
- Business Impact Analysis (BIA)
What is Business Impact Analysis (BIA)?
A business impact analysis (BIA) predicts the consequences of a disruption to your business, and gathers information needed to develop recovery strategies.
Recommended Steps:
- Use the Develop business continuity policies.
- Develop downtime procedures for critical systems.
- Train workforce on downtime procedures and business continuity plans using tabletop exercises.
- Tracking Technologies
What are Tracking Technologies?
Tracking technologies are technologies used to collect information about users and their activities on a website. Examples of tracking technologies include cookies, web beacons, and embedded scripts.
Recommended Steps:
- Utilize a consultant or company to provide a detailed analysis of tracking technologies in place at your organization.
- Develop an organizational policy either prohibiting the use of tracking technologies, or for implementing tracking technologies in a compliant manner.
- Password Management and Storage
What is Password Management and Storage?
Proactively implementing policies involving password management and the proper storage of passwords are effective solutions for helping to mitigate cybersecurity risks and protect sensitive and proprietary information.
Recommended Steps:
- Develop a policy forbidding password storage outside the supplied password management tools.
- Utilize the password management tool features to provide managers’ access to passwords after employees leave.
- Password Reset and Multifactor Device Change Callbacks
What is Password Reset and Multifactor Device Change Callbacks?
By requiring all users to store contact numbers in a central system, it helps ensure team members' information is kept up to date. In doing so, it helps reduce the risk of account takeovers and provides additional security for users and their accounts.
- Include manager escalation if team members cannot be contacted.
- Develop processes to ensure that team members are keeping their information up to date.
- Payroll and ACH Change Callbacks
What is Payroll and ACH Change Callbacks?
Developing a strong callback for payroll and ACH changes reminds employees to authenticate a request before sending funds. By training employees to recognize potential schemes and validate suspicious activity, such as new bank account numbers for a known vendor, it can help in stopping fraud.
- Develop processes so that team members who do not want to use either can make these changes in person.
- Develop processes to keep vendor contacts up to date.
- Wire and Supply Chain Verifications
What is Wire and Supply Chain Verifications?
Requires trusted contacts and callback numbers for all wire transfers and vendor information changes. It also allows for processes to be developed and implemented to regularly check for and update vendor information.
- Develop processes to regularly check for and update vendor contact information.
- Endpoint Privilege Management and Temporary Admin Access
What is Endpoint Management and Temporary Admin Access?
This type of access enables the development of processes to allow service desk or power users to temporarily grant access to users to perform small administrative tasks. It can also help leverage device management software installation capabilities and/or utilize an endpoint management tool to grant some administrative access to users with business needs.
- Develop policies to prevent admin access for longer than absolutely necessary.
- Leverage an Endpoint Privilege Management tool to grant some administrative access to users with business needs.