Language Translation
  Close Menu

Section

Breadcrumbs

Healthcare Cyber in a Box - Level 3 - Mature Guidance

The purpose of this information is intended to provide a "mature" level of direction and guidance around the topic of cybersecurity protections; as defined by 23 control categories, ranging from email protection systems and educating staff regarding its knowledge/familiarity with your organization's cybersecurity policies to understanding more about artificial intelligence and how to conduct a business impact analysis (BIA).

Within each category, the Healthcare Cyber in a Box includes a series of mitigating controls (featured here) to help enable your organization to be more resilient, in the event of a cyber incident or cyberattack. A series of mitigated risks (see charts) are also identified as a guide for understanding the outcomes for what can be avoided by following these recommended best practices.

With the latest launch of the Healthcare Cyber in a Box 2.1, five new control categories have been added -- including everything from password management, password reset callbacks and payroll change callbacks to wire verifications and endpoint privilege management.

Using this information is designed to provide your healthcare organization create a blueprint, from which you can build on, as it relates to your cybersecurity capabilities and, in doing so, protect your patients, staff and facilities that are vital to the people and communities you are dedicated to serving.

To get started, simply click on a link to review each of the (5) charts -- highlighting the recommended cybersecurity practices for each of the control categories.

  • Email Protection Systems

    What is an Email Protection System?

    Email protection is a set of activities that address the various aspects of managing the security for an organization’s email system.  It is a culmination of processes, actions, or methodologies which an organization uses to protect business email.  The goal is to create effective security processes, train users to securely handle email, and ensure bad actors can’t use email as a jumping off point for access into a company’s network.

    Recommended Steps:

    • Advanced Email Security Controls – Some advanced email security controls can include things like secure email archiving for legal or other regulatory requirements, moving email systems into the cloud to allow for almost constant uptime for your email systems.  Also, automated blocking of email attacks and blocking of mass attacks against email systems to attempt to shut down the system.
    • Phishing Simulation and Testing – This is a level of user training that provides users knowledge on what a phishing email really looks like and how to recognize the warning signs that constitute phishing.  Phishing training is generally provided by security organizations that provide simulated phishing – email that won’t harm the user or system – however provide a way for organizations to test their users in recognizing this type of attack.
    • Data Loss Prevention – Data Loss Prevention (DLP) is a set of technologies, products, and techniques that are designed to stop sensitive information from leaving an organization. Since a major conduit for data leaving an organization can be the email system, a DLP solution monitors outbound email searching for data like credit card numbers, medical record numbers, social security numbers, and other very sensitive data.  The DLP system can be fine-tuned to either block the email containing the sensitive information, send a notice to the sender to make sure they intended to send this data, or simply monitor this outbound data.
  • Endpoint Protection Systems

    What is an Endpoint Protection System?

    An endpoint for organizations are those computer devices directly utilized by a user.  Normally this can be a workstation, a laptop, or some type of terminal device allowing a user to enter information into a computer system.  This is also one of the first points of attack bad actors focus on in trying to gain access into a healthcare organization’s computer network.

    Recommended Steps:

    • Automated Endpoint Provisioning – Automated provisioning for endpoints is a way to provide easier management for a healthcare organization’s IT function.  Provisioning means the endpoints are configured in the beginning in a similar way and provides user a similar look and feel for these devices.  Automating processes like provisioning reduces the possibility that a security problem or threat is accidentally caused by someone entering a control improperly.
    • Implement Mobile Device Management – For those healthcare organizations that have company cell phones or other mobile devices or allow their employees to use their personal mobile device for work-related activities, mobile device management (MDM) allows those companies to manage and protect company data on those devices.  In the event a company asset is lost or stolen, MDM can provide companies the ability to remotely wipe the device protecting the data.
    • Malicious IP address blocking – The definition of “blocklisting” is when network systems automatically block either web sites, IP addresses, or even geo-locations from being able to access an organization’s systems.  This is done when these external sites are identified as a threat and can be handled by security companies contracted by the healthcare organization.
  • Identity and Access Management

    What is Identity and Access Management?

    It is a framework of policies and technologies to ensure that the right users have the appropriate access to technology resources like systems and application that align with their job duties. The Identity and Access Management responsibilities include the oversight of all provisioning and deprovisioning of user accounts, Single-Sign On, two-factor authentication, privileged access management and any other activities through-out the lifecycle of the user account.

    Recommended Steps:

    • Access Governance – Reduces the risk of users having unnecessary rights. This is a great way of auditing and maintaining, and monitoring that everyone has the appropriate access.   As the business grows and the more complex systems you have, the process of access governance becomes more critical.  To allow appropriate rights and access to systems.
    • Federated Identity Management Authorization – A method of linking a user’s identity across separate identity management systems to quickly move between domains while maintaining security, like in the case of a vendor.
    • Identity Management Automation
  • Data Protection and Loss Prevention

    What is Data Protection and Loss Prevention?

    It is a set of solutions, strategies, technologies, and techniques that ensure end-users do not transmit sensitive data outside of an organization. This is done by tracking data movement as it moves through and out of the organization and by enforcing disclosure policies to prevent unauthorized disclosure of data. Software solutions can be implemented to prevent data loss, whether it is network, endpoint, or cloud.

    Recommended Steps:

    • Data Loss Prevention Implementation – Data Loss Prevention practice includes monitoring, detecting, and blocking sensitive data while in use, in motion, and at rest from unauthorized access, exfiltration, or destruction. Many enterprise applications will offer DLP with their product like Microsoft through embedded scripts and code to look for unique identifiers representing sensitive data like PHI and proceeds to flag or encrypt the data.
    • Data Governance Program Implementation – Set of principles and practices that ensures the availability, usability, integrity, and security of the organization’s data by monitoring and managing the data’s processes, metrics, and tools.
  • IT Asset Management

    What is IT Asset Management?

    is to assess how the organization manages IT assets throughout its lifecycle. It helps you know what hardware and software you have. Gives you the ability to track detailed information on the assets like software version and purchase date. This detail helps you make informed decisions as time goes along, like forecasting the life cycle of your hardware or allowing you to act faster in response to security alerts so you can know the location, what version of software you are running, and if the system is vulnerable. IT Asset Management also includes initial provisioning of assets, tracking and management, integration with enterprise processes, and decommissioning / disposal processes. The scope of management consists of a variety of technology assets provisioned and managed by IT (e.g., servers, workstations, mobile devices, end-user devices, IoT devices, etc.).

    Recommended Steps:

    • Automated Discovery and Maintenance Automation – This is a snapshot of the IT enterprise, including applications, processes, services, components, and their dependencies. This can be accomplished by implementing a Configuration Management Database (CMDB) solution. The CMDB can lead to discovering opportunities for change, like in the case of end-of-life technologies, and add in recovery from a security incident or disaster. The database should contain all information about devices and applications that deliver services to an organization like location, owner, patching and rebooting, and impact level if it would not be available.
    • Medical Device Management Software and Program Establishment – Medical device security is a set of practices and techniques that can prevent unauthorized access or control of the device or data loss. Unauthorized access to medical devices could cause a negative impact on patients or even lead to loss of life. A medical device management program should contain identifying medical devices, managing the security of the devices throughout their lifecycle, and tracking the location of devices at all times to ensure an unauthorized user has not gained access.
  • Network Management

    What is Network Management?

    It is the set of activities, procedures, processes, tools, and roles associated with protecting the organization’s network.  The goal in any secure organization is to create a strong and secure network minimizing risk to the organization while also not significantly impeding operations.

    Recommended Steps:

    • Anomalous Network Monitoring and Analytics Reporting – Advanced networking platforms and tools can be used to monitor network traffic and hunt for anomalous activity. This may take the form of an odd IP address utilizing a port or a large amount of data moving from inside to outside your network.  There are several providers and solutions that can be implemented and monitored in house or utilizing a third party.
    • Network Based Sandboxing/Malware Execution – A sandbox is an isolated system (usually an isolated virtual machine) that can be used to execute a suspicious file and detect anomalous activity.  This is extremely helpful for organizations that receive sophisticated phishing messages.
  • Vulnerability Management

    What is Vulnerability Management?

    It is the practice of managing the exploitation of IT vulnerabilities and involves the identification and mitigation of known vulnerabilities as well as prioritization based on risk.  Vulnerability management should also include preparing for unknown vulnerabilities as well as risk mitigations for threats and vulnerabilities associated with your organization.

    Recommended Steps:

    • Implement Web Application Scanning – Many organizations have websites and many of those websites may contain sensitive information or an interface into another system that is protected by authentication.  There may also be instances where an external website shares a connection to an internal server or system.  In all these cases, scanning that website for vulnerabilities is vital.  Much like scanning endpoints, the goal is to determine if website vulnerabilities exist that might allow an attacker to gain in appropriate levels of access to your site or the data and systems behind it. Automated tools are available to help with scanning and remediation and more advanced steps can also be taken to ensure security is in place (see pen-testing below).
    • Data Loss Prevention Implementation – Data loss prevention build on data classification and detects potential data breaches/data ex-filtration transmissions and prevents them by monitoring, detecting, and blocking sensitive data while in use (endpoint actions), in motion (network traffic), and at rest (data storage). Using the classifications created previously, technical policies can be implemented to monitor or even block the use of sensitive data depending on specific criteria.
    • Perform Penetration Testing - An evaluation methodology whereby assessors search for vulnerabilities and attempt to circumvent the security features of a network and/or information system.  This is a very in-depth process and although some tools exist to create an “automated” test, hands on testing with a reputable assessor is preferred.
    • Implement the HSCC's Managing Legacy Technology Security (HIC-MaLTS) Recommendations
  • Incident Response

    What is Incident Response?

    It is a set of activities that address the short-term, direct effects of an incident and may also support short-term recovery.  In other words, this is a culmination of processes, actions, or methodologies which an organization uses to respond to any cyber event.  The goal is to create an efficient and referenceable document or documents that is aimed at minimizing impact, maximizing recovery, and create a culture of preparedness.

    Recommended Steps:

    • Tabletop Exercises Conducted – A discussion-based exercise where personnel meet in a classroom setting or breakout groups and are presented with a scenario to validate the content of plans, procedures, policies, cooperative agreements, or other information for managing an incident.  This exercise builds on previous levels of incident response preparedness including the catalog of current threats and risks, end user training, and playbooks.
    • Use of dedicated in-house security and/or privacy staff or a Managed Security Service (MSS)/Security Operations Center (SOC) – Having the appropriate level of resources to manage security issues is a growing concern.  The goal is to shift from a reactive threat response posture to a proactive threat hunting posture.  This often requires the use of either internal staff trained in cyber security or the use of a third party to augment or completely offset an internal team. Managed Security Services (MSS) and Security Operations Centers (SOC) fill that role to augment or, in some cases, replace, an internal security function.
    • Incident Response Automation – With tools like EDR, XDR, MSS/SOC, and playbooks, an organization can leverage a suite of security systems, policies, and processes to automate a threat response.  An example may be that the organizations MSS team shows anomalous activity from an endpoint showing the execution of a PowerShell script that disables a local firewall and begins communicating with a server outside the US.  This will trigger a set of incident responses that may include steps such as notification the organization, automatic sequestration of that endpoint, automatic blocking of the external IP from the network as well as the IP address any incoming connections to that endpoint.
  • Medical Device Security

    What is Medical Device Security?

    Per Section 201(h) of the Food, Drug, and Cosmetic Act, a medical device is defined as an instrument, apparatus, implement, machine, contrivance, implant, in vitro reagent, or other similar or related article, including a component part, or accessory which is:  recognized in the official National Formulary, or the United States Pharmacopoeia, or any supplement to them, intended for use in the diagnosis of disease or other conditions, or in the cure, mitigation, treatment, or prevention of disease, in man or other animals, or intended to affect the structure or any function of the body of man or other animals, and which does not achieve its primary intended purposes through chemical action within or on the body of man or other animals and which does not achieve its primary intended purposes through chemical action within or on the body of man or other animals and which is not dependent upon being metabolized for the achievement of its primary intended purposes. The term "device" does not include software functions excluded pursuant to section 520(o).  Medical devices serve a critical role in the treatment and prevention of disease and are constantly evolving to become more integrated and effective. Often that means that these devices become networked or accessible via WiFi protocols.  These devices should be treated with just as much, or more, care than endpoints as they often have unique restrictions for updating software, implementation, or administration.  Being aware of how to manage these devices securely relies on process, controls, and strong vendor relationships.

    Recommended Steps:

    • Medical Device Management Software and Program Implementation – Software suites exist that help manage many aspects of medical device security mentioned in this section.  Tools that integrate asset management, vulnerability management, maintenance, access control, and device level security can all be managed through a suite of highly integrated tools.  These tools can often reduce resource time and maximize visibility into issues around managed devices.
    • Incident Response Plan (IRP) Integration – As mentioned previously, an incident response plan is a set of predetermined and documented procedures to detect and respond to a cyber incident.  Medical devices should be treated similarly to other endpoints with added emphasis on the sensitivity of the devices themselves due to their use and data that may be on the devices.  As with other parts of incident response, discuss possible risks, entry points, mitigations, and responses to an incident involving medical devices.
  • Cybersecurity Oversight and Governance

    What are Cyber Security Policies?

    Cyber Security Policies are an important, and often overlooked, aspect of a well-rounded cyber security posture.  Policies help define the measures you have in place to detect and minimize threats, management of critical processes, best practices regarding what employees should and should not do, and roles and responsibilities for members of the organization.  As a healthcare organization, they are also a requirement to have as part of your HIPAA requirements.  Below are some recommendations to get started, however, this is not a complete list of policies but instead a foundational list to get started.

    Recommended Steps:

    • Create Business Continuity Plan – A document that outlines the steps necessary for the organization to operate during and recover from an unplanned outage of services.  This is often done in concert with a Disaster Recovery Plan and discusses what systems need to be prioritized for recovery.
    • Other Legal and Regulatory Policy implementation – Many legal and compliance requirements exist depending on what type of medical service is provided. In order to ensure compliance, it is strongly recommended to reach out to a privacy and compliance professional to review all policies and procedures to ensure you are meeting all regulatory standards.
    • Special Needs Policies Creation – As the organizational policy program matures, unique circumstances will arise requiring the creation of policies to address those circumstances.  For example, your organization may utilize all third-party staff to manage a particular system or service.  This may require an organization to create a vendor access policy or vendor review policy. This may not be necessary for another organization that performs all work in house.
    • Existing Policies Management and Maturation – As with any process, maturing that process is vital to its success. Policy management is no exception.  Make sure your program includes the review of policies and procedures periodically, staying current on new laws and regulations, and updates existing policies accordingly.
  • Penetration Testing

    What is Penetration Testing?

    A method of testing where testers target individual binary components or the application as a whole to determine whether intra or intercomponent vulnerabilities can be exploited to compromise the application, its data, or its environment resources.

    Recommended Steps:

    • Leverage automation and appoint an internal champion/team to continually test API's Internet-facing, and internal applications.
    • Use automation to address lower-risk issues.
  • Social Engineering Education

    What is Social Engineering?

    Social engineering is the tactic of manipulating, influencing, or deceiving a victim in order to gain control over a computer system, or to steal personal and financial information. It uses psychological manipulation to trick users into making security mistakes or giving away sensitive information.

    Recommended Steps:

    • Conduct exercises and have corrective actions for highest-risk team members.
    • Conduct unannounced physical security walkthroughs, audits, and social engineering tests.
  • Risk Assessments

    What are Risk Assessments?

    Cybersecurity risk assessments assist healthcare providers and hospitals in understanding the cyber risks to their operations (e.g., mission, functions, critical service, image, reputation), organizational assets, and individuals.

    Recommended Steps:

    • Conduct internal HIPAA Security Risk Assessment with stakeholders.
    • Bring in an outside firm to conduct biennial risk assessment reviews.
    • Document and address open risks based on criticality.
  • Vendor Risk Assessments

    What are Vendor Risk Assessments?

    A vendor risk assessment (VRA), also known as a vendor risk review, is the process of identifying and evaluating potential risks or hazards associated with a vendor's operations and products and its potential impact on your organization.

    Recommended Steps:

    • Develop and empower an internal team to conduct vendor risk assessments.
    • Require SOC2, ISO, HITRUST, and/or UL standards for products and services.
  • Artificial Intelligence (AI)

    What is Artificial Intelligence (AI)?

    Artificial intelligence is the simulation of human intelligence processes by machines, especially computer systems. Specific applications of AI include expert systemsnatural language processing, speech recognition and machine vision.

    Recommended Steps:

    • Establish a governance committee to review new AI/ML systems before onboarding.
    • Conduct AI/ML Risk Assessments on new systems.
    • Periodically re-assess existing AI/ML solutions.
  • Cyber Insurance

    What is Cyber Insurance?

    Cyber liability insurance is an insurance policy that provides businesses with a combination of coverage options to help protect the company from data breaches and other cyber security issues.

    Recommended Steps:

    • Conduct tabletop exercises with an Incident Response vendor.
  • Business Impact Analysis (BIA)

    What is Business Impact Analysis (BIA)?

    A business impact analysis (BIA) predicts the consequences of a disruption to your business, and gathers information needed to develop recovery strategies.

    Recommended Steps:

    • Keep BIA, BCP, and downtime procedures updated, at least, annually.
    • Train and drill workforce on BCP and downtime procedures, at least, annually.
  • Tracking Technologies

    What are Tracking Technologies?

    Tracking technologies are technologies used to collect information about users and their activities on a website. Examples of tracking technologies include cookies, web beacons, and embedded scripts.

    Recommended Steps:

    • Enroll in a proactive service to monitor for tracking technologies.
    • Conduct periodic reviews of tracking technologies in use by your organization and third-party vendors.
    • Include the use of tracking technologies in annual IT risk analysis.
  • Password Management and Storage

    What is Password Management and Storage?

    Proactively implementing policies involving password management and the proper storage of passwords are effective solutions for helping to mitigate cybersecurity risks and protect sensitive and proprietary information.

    • Test the network and attached devices for passwords stored in files, browsers, and spreadsheets.
    • Use Data Loss Prevention (DLP) to check for users sending passwords elsewhere.
  • Password Reset and Multifactor Device Callbacks

    What is Password Reset and Multifactor Device Change Callbacks?

    By requiring all users to store contact numbers in a central system, it helps ensure team members' information is kept up to date. In doing so, it helps reduce the risk of account takeovers and provides additional security for users and their accounts.

    • Audit and review Service Desk to make sure they are following processes.
    • Proactively warn managers of team members not having up to date information.
  • Payroll and ACH Change Callbacks

    What is Payroll and ACH Change Callbacks?

    Developing a strong callback for payroll and ACH changes reminds employees to authenticate a request before sending funds. By training employees to recognize potential schemes and validate suspicious activity, such as new bank account numbers for a known vendor, it can help in stopping fraud.

    • Audit and review Payroll procedures to ensure they are following processes.
    • Audit vendors based on risk to make sure contact information is up to date.
  • Wire and Supply Chain Verifications

    What is Wire and Supply Chain Verifications?

    Requires trusted contacts and callback numbers for all wire transfers and vendor information changes. It also allows for processes to be developed and implemented to regularly check for and update vendor information.

    • Audit and review Treasury and Supply Chain teams to ensure they are following processes.
  • Endpoint Privilege Management and Temporary Admin Access

    What is Endpoint Privilege Management and Temporary Admin Access?

    This process enables the development of processes to allow service desk or power users to temporarily grant access to users to perform small administrative tasks. It can also help leverage device management software installation capabilities and/or utilize an endpoint management tool to grant some administrative access to users with business needs.

    • Audit and review use of Endpoint Privilege Access Management.
    • Audit and review access entitlements for users.