Many healthcare organizations have chosen to mitigate the financial risks of cyberattacks, including those posed by third party vendors, by purchasing cyber insurance coverage from their insurance carriers.  However, due to the increasing risks related to ransomware in the healthcare and public health (HPH) sector, obtaining cyber insurance coverage has become an increasingly taller task.  Following these best practices will help increase a healthcare entities’ chances of obtaining cyber coverage:

• Multi-factor Authentication for access to information systems
• Endpoint Detection and Response
• Secure, air gapped, and encrypted backups
• Privileged Access Management
• Email filtering and web security
• Patching and Vulnerability Management Program
• Cyber Incident Response Plan and Testing
• Cybersecurity awareness and Training Program
• Remote Desktop Protocol hardening and controls
• Logging and Monitoring systems
• Outdated and End-of-Life systems replaced or Compensating Controls in place
• Vendor/Supply Chain Risk Management Program
• Regular Tabletop Exercises for Cyber Incident Response

Following the guidance in Healthcare Cyber in a Box 2.1 provides healthcare organizations with a defensible way to demonstrate compliance needed for cyber insurance coverage.

Additionally, the Cyber Insurance Toolkit, developed by the Indiana Executive Council on Cybersecurity, is a free, easy-to-download resource intended to help businesses and organizations understand what cyber liability insurance is, what it covers and why it’s become an increasingly important part of a company’s risk management strategy.

Even if the healthcare organization itself has not been subject to a cyber-attack, third-party vendors suffering from attacks can still pose massive operational and data security challenges to healthcare organizations.  Increasing the number of vendors supplying applications or services to an organization will likewise increase the likelihood that one of the vendors will experience some sort of cyber-related interruption.  It is critical that healthcare organizations develop and maintain incident response plans which include plans for responding to a third- party vendor’s cybersecurity or otherwise related downtime events.  Key factors to consider are:

• Operational business continuity plans to continue providing care while the third-party resources are unavailable.
• FEMA offers a free continuity plan template that includes instructions for non-federal entities and community-based organizations
• Technical plans including quick severance of data connections to and from the third party’s systems.
• Maintenance of a log for all communications received from the third party regarding the incident.
• Obtaining an after-incident report including root cause analysis and mitigation/improvement actions taken by the third party in response to the event.

In January 2021, the President signed into law HR 7898, which provides regulatory incentive for healthcare organizations to adopt recognized security best practice frameworks. The Health Industry Cybersecurity Practices (HICP) publication promulgated by the 405(d) Task Group is cited as a best practice framework for healthcare.

It is comprised of 10 practices that can be implemented to mitigate the risk of being impacted by the top threats facing healthcare organizations.  There are two published volumes to help organizations implement the best practices: one for Small Organizations and one for Medium and Large Organizations.  The 10 best practices include:

1. Email Protection Systems
2. Endpoint Protection Systems
3. Access Management
4. Data Protection and Loss Prevention
5. Asset Management
6. Network Management
7. Vulnerability Management
8. Security Operation Center and Incident Response
9. Network Connected Medical Devices
10. Cybersecurity Oversight and Governance

Healthcare organizations should utilize the 10 best practices as vetting resources when evaluating vendors’ cybersecurity practices as well as their own.

The IECC developed a maturity model to support the HICP 10 Best Practices, Healthcare Cyber in a Box 2.1 and it outlines the steps healthcare organizations need to follow to address HICP guidelines.

Business Associate Agreements (BAAs) are a critical component of vendor management for healthcare organizations under HIPAA regulations. These agreements are required when a HIPAA covered entity engages a third party that will have access to, transmit, or store protected health information (PHI) on behalf of the covered entity.

Key points to consider for BAAs include:

1. Mandatory Requirement: HIPAA covered entities are required to have a BAA in place with any vendor that handles PHI on their behalf.
2. Scope of Agreement: The BAA should clearly define the permitted uses and disclosures of PHI by the business associate.
3. Security Measures: The agreement should specify the security measures the business associate must implement to protect PHI, aligning with HIPAA Security Rule requirements.
4. Breach Notification: BAAs should include provisions for timely notification to the covered entity in case of a data breach involving PHI.
5. Subcontractor Management: The BAA should address how the business associate will manage any subcontractors that may have access to PHI.
6. Termination and Data Return: The agreement should outline procedures for the return or destruction of PHI upon termination of the contract.
7. Compliance Audits: Consider including provisions that allow for periodic audits or assessments of the business associate's HIPAA compliance.
8. Liability and Indemnification: Clear terms should be established regarding liability and indemnification in case of HIPAA violations or data breaches.

Healthcare organizations should work closely with their legal counsel to ensure that their BAAs are comprehensive and comply with all HIPAA requirements. Regular review and updates of these agreements are essential to address evolving cybersecurity threats and regulatory changes.

For additional guidance on BAAs, healthcare entities can refer to the Office for Civil Rights (OCR) website, which provides sample BAA provisions and other relevant resources.

The Health Sector Coordinating Council (HSCC) published the Model Contract Language for Healthcare Cybersecurity (HC2), available here. This model contract, developed by providers, device vendors, and other stakeholders, provides vetted language for ensuring security terms are included in contracts that healthcare organizations enter into.