On December 28, 2018, the U.S. Department of Health and Human Services (“HHS”) released the “Health Industry Cybersecurity Practices (HICP): Managing Threats and Protecting Patients” publication (the “Cybersecurity Guidelines”), which provides voluntary cybersecurity practices designed to reduce security risks and improve security for various healthcare organizations. Specifically, the Cybersecurity Guidelines represent a cooperative effort between HHS and industry participants produced in response to the mandate set forth in the Cybersecurity Act of 2015, Section 405(d), to develop practical cybersecurity guidelines to cost-effectively reduce cybersecurity risks for the healthcare industry.
The Cybersecurity Guidelines are the product of the “405(d) Task Group,” a group of more than 150 healthcare and cybersecurity experts as well as government partners. The 405(d) Task Group was created in May 2017, to plan, develop and draft the Cybersecurity Guidelines. The 405(d) Task Group developed the voluntary, consensus-based principles and practices to improve cybersecurity in the health sector. Because the group determined that it was not feasible to address every cybersecurity challenge across the large and complex U.S. healthcare industry, it focused on the five most prevalent cybersecurity threats and outlined ten cybersecurity practices designed to help improve security for a broad range of organizations within the healthcare sector.
The five cybersecurity threats identified in the Cybersecurity Guidelines are:
- E-mail Phishing Attacks;
- Ransomware Attacks;
- The Loss or Theft of Equipment Data;
- Insiders, Accidental or Intentional Data Loss; and
- Attacks Against Connected Medical Devices That May Affect Patient Safety
The Cybersecurity Guidelines’ ten Cybersecurity Practices are:
- E-mail Protection
- Endpoint Protection Systems 2.M.A Basic Endpoint Protection Controls
- Access Management
- Data Protection and Loss Prevention
- Asset Management
- Network Management
- Vulnerability Management
- Incident Response
- Medical Device Security
- Cyberscecurity Policies
The 405(d) Task Group’s approach was to (a) examine current cybersecurity threats affecting the industry; (b) identify specific weaknesses that make organizations more vulnerable to the threats; and (c) provide selected practices that cybersecurity experts rank as the most effective to mitigate the threats.
In addition to the primary Cybersecurity Guidelines document, the 405(d) Task Group also prepared and released two “Technical Volume” documents, one for small health care organizations and another for medium and large organizations, each of which discusses the ten cybersecurity practices along with relevant sub-practices for different sized health care organizations. Furthermore, there is also a resources and templates document provided which maps the practices and sub-practices against the National Institute of Standards and Technology’s (“NIST”) Cybersecurity Framework, provides an assessment, roadmap and toolkit for implementing practices and sub-practices, and a listing of additional resources with supplemental information for the threats and concepts addressed in the Cybersecurity Guidelines. Finally, The 405(d) Task Group is continuing to develop a “Cybersecurity Practices Assessments Toolkit” designed to help organizations prioritize their cyber threats and develop their own action plans using the assessment methodology outlined in the Resources and Templates document. While this tool is not yet available, the 405(d) Task Group is offering the ability to receive an advance copy by emailing CISA405d@hhs.gov?.
Consistent with the Cybersecurity Act of 2015, the Cybersecurity Guidelines set forth a common set of voluntary, consensus-based, and industry-led guidelines, best practices, methodologies, procedures, and processes to achieve three core goals:
- Cost-effectively reduce cybersecurity risks;
- Support the voluntary adoption and implementation of the Cybersecurity Guidelines’ recommendations; and
- Provide actionable, practical, and relevant content to health care stakeholders of every size and resource level.
We have outlined key information about the five cybersecurity threats and ten cybersecurity practices presented in the Cybersecurity Guidelines below.
Key Issues Addressed by the Cybersecurity Guidelines
Threat 1: E-mail Phishing Attacks
The first type of threat identified in the Cybersecurity Guidelines is phishing attacks. In the Technical Volume discussion of this threat, the Cybersecurity Guidelines explain that “[w]eak or stolen passwords were responsible for 80% of the hacking related breaches,” according to Verizon’s 2017 Verizon Data Breach Investigations Report. Because the two most common phishing methods are credential theft (leveraging e-mail to conduct a credential harvesting attack on the organization) and malware dropper attacks (e-mail delivery of malware that can compromise endpoints), the Cybersecurity Guidelines focus on addressing these two attack vectors.
To address this threat, the Cybersecurity Guidelines recommend that organizations take the following actions:
- Train staff to recognize suspicious e-mails and to know how to handle them (1.S.b)
- Implement multifactor authentication (MFA) (1.S.A, 3.M.D)
- Tag external e-mails to make them recognizable to staff (1.S.A)
- Implement proven and tested response procedures when employees click on phishing e-mails (1.S.C)
For medium and large organizations, the Cybersecurity Guidelines also recommend that entities:
- Implement incident response plans to manage successful phishing attacks (8.M.A)
- Implement advanced technologies for detecting and testing e-mail for malicious content or links (1.L.A)
- Establish cyber threat information sharing with other health care organizations (8.S.B, 8.M.C)
Threat 2: Ransomware Attacks
The Cybersecurity Guidelines reference the HHS Ransomware Fact Sheet, defining ransomware as “a type of malware (malicious software) [that] attempts to deny access to a user’s data, usually by encrypting the data with a key known only to the hacker who deployed the malware, until a ransom is paid.” After the user’s data is encrypted, the ransomware directs the user to pay the ransom to the hacker (usually in a cryptocurrency, such as Bitcoin) in order to receive a decryption key.
To combat ransomware attacks, the Cybersecurity Guidelines recommend that organizations:
- Patch software according to authorized procedures and ensure that users understand authorized patching procedures (7.S.A)
- Use strong/unique username and passwords with MFA (1.S.A, 3.S.A, 3.M.C)
- Limit users who can log in from remote desktops (3.S.A, 3.M.B)
- Deploy anti-malware detection and remediation tools (2.S.A, 2.M.A, 3.L.D)
- Separate critical or vulnerable systems from threats (6.S.A, 6.M.B, 6.L.A)
- Maintain a complete and updated inventory of assets (5.S.A, 5.M.A)
- Implement proven and tested incident response procedures (8.S.A, 8.M.B)
- Establish cyber threat information sharing with other health care organizations (8.S.B, 8.M.C)
In addition to these practices, the Cybersecurity Guidelines suggest that medium and large organizations:
- Be clear which computers may access and store sensitive or patient data (4.M.C)
- Limit the rate of allowed authentication attempts to thwart brute-force attacks (3.M.C)
- Implement proven and tested data backup and restoration procedures (4.M.D)
- Implement a backup strategy and secure the backups, so they are not accessible on the network they are backing up (4.M.D)
- Develop a ransomware recovery playbook and test it regularly (8.M.B)
Threat 3: Loss or Theft Equipment or Data
As the use of mobile devices increases, the risk of these devices being lost or stolen also increases. The Cybersecurity Guidelines explain that between January 1 and August 31 of 2018, the HHS’ Office of Civil Rights received reports of 192 incidents of device theft, potentially affecting the data of more than 2 million people. To help prevent and/or mitigate the effects of lost or stolen devices, the Cybersecurity Guidelines recommend that health care organizations:
- Encrypt sensitive data, especially when transmitting data to other devices or organizations (4.S.B, 4.M.C)
- Promptly report loss/theft to designated company individuals to terminate access to the device and/or network (3.S.A)
- Maintain a complete, accurate, and current asset inventory to mitigate threats, especially the loss and theft of mobile devices such as laptops and USB/thumb drives (5.S.A)
- Define a process with clear accountabilities to clean sensitive data from every device before it is retired, refurbished, or resold (5.S.C, 5.M.D)
Further, medium and large entities should:
- Implement proven and tested data backups, with proven and tested restoration of data (4.M.D)
- Acquire and use data loss prevention tools (4.M.E, 4.L.A)
- Implement a safeguards policy for mobile devices supplemented with ongoing user awareness training on securing these devices (9.M.A)
- Encrypt data at rest on mobile devices to be inaccessible to anyone who finds the device (4.M.C)
Threat 4: Insider, Accidental or Intentional Data Loss
Unfortunately, threats from insiders present a risk to various organizations as well. The Cybersecurity Guidelines explain that these threats may be either accidental (an unintentional loss caused by an honest mistake) or intentional (a malicious loss or theft caused by an employee, contractor, other user of the organization’s technology infrastructure, network, or databases, with an objective of personal gain or inflicting harm to the organization or another individual).
The Cybersecurity Guidelines universally recommend that organizations train staff and IT users on data access and financial control procedures in an attempt to prevent or mitigate social engineering or procedural errors (1.S.B, 1.M.D). The Cybersecurity Guidelines also recommend the following practices for larger organizations:
- Implement and use workforce access auditing of health record systems and sensitive data (3.M.B)
- Implement and use privileged access management tools to report access to critical technology infrastructure and systems (3.M.C)
- Implement and use data loss prevention tools to detect and block leakage of PHI and PII via e-mail and web uploads (4.M.E, 4.L.A)
Threat 5: Attacks against Connected Medical Devices
The Food and Drug Administration defines a medical device as “an instrument, apparatus, implement, machine, contrivance, implant, in vitro reagent, or other similar or related article, including a component part or accessory which is recognized in the official National Formulary, or the United States Pharmacopoeia, or any supplement to them; intended for use in the diagnosis of disease or other conditions, or in the cure, mitigation, treatment, or prevention of disease.” Because these devices are increasingly capable of remote connectivity, they present an expanding potential attack vector for malicious actors. Furthermore, because these connected medical devices are often important to patient care, the risks associated with cyber incidents on these devices are critical.
With respect to connected medical devices, the Cybersecurity Guidelines recommend that organizations:
- Establish and maintain communication with medical device manufacturer’s product security teams (9.L.A)
- Patch devices after patches have been validated, distributed by the medical device manufacturer, and properly tested (9.M.B)
- Assess current security controls on networked medical devices (9.M.B, 9.M.E)
- Assess inventory traits such as IT components that may include the Media Access Control (MAC) address, Internet Protocol (IP) address, network segments, operating systems, applications, and other elements relevant to managing information security risks (9.M.D)
- Implement pre-procurement security requirements for vendors (9.L.C)
- Implement information security assurance practices, such as security risk assessments of new devices and validation of vendor practices on networks or facilities (1.L.A)
- Engage information security as a stakeholder in clinical procurements (9.L.C)
- Use a template for contract language with medical device manufacturers and others (9.L.C)
- Implement access controls for clinical and vendor support staff, including remote access, monitoring of vendor access, MFA, and minimum necessary or least privilege (9.M.C)
- Implement security operations practices for devices, including hardening, patching, monitoring, and threat detection capabilities (9.L.B)
- Develop and implement network security applications and practices for device networks (9.M.E)
Takeaways
The Cybersecurity Guidelines provides organizations with a good starting point for implementing basic cybersecurity practices. It is however important to note that the practices outlined in the Cybersecurity Guidelines are not intended to be a “de facto set of requirements that all organizations must implement” nor does the fact that an organization implements any or all of these practices ensure that it has met applicable compliance and reporting obligations under the HIPAA Privacy or Security Rules. The Cybersecurity Guidelines are instead intended to leverage the NIST Cybersecurity Framework to help educate health sector professionals on cybersecurity and assist them in answering the prevailing question, “Where do I start and how do I adopt certain cybersecurity practices?”
The 405(d) Task Group’s recommended approach to using the Cybersecurity Guidelines is to review all of the recommended practices, evaluate them against the organization’s current security posture, and then conduct a risk assessment to determine how to prioritize and allocate resources for implementing relevant practices and sub-practices to protect against the threats with which the organization is most concerned. This approach is consistent with that of the HIPAA Security Rule, which attempts to protect the privacy of individuals’ health information and allow covered entities to adopt new technologies to improve the quality and efficiency of patient care, but, at the same time provide the necessary flexibility and scalability to allow health organizations to implement policies, procedures, and technologies that are appropriate for the its particular size, organizational structure, and risks to consumers’ PHI.