Compare Your Cybersecurity Program Against Industry Best Practices

On January 5, 2021, President Trump signed into law H.R. 7898, which amends the Health Information Technology for Economic and Clinical Health (HITECH) Act requiring the secretary of US Department of Health and Human Services (HHS) to consider certain recognized security practices when making determinations relating to fines and corrective action plans. From the Act: The term “recognized security best practices” as standards, guidelines, best practices, methodologies, procedures, and processes developed under section 2(c)(15) of the National Institute of Standards and Technology Act, the approaches promulgated under section 405(d) of the Cybersecurity Act of 2015, and other programs and processes that address cybersecurity.

More than a year later, organizations still struggle with strengthening their security programs, and the healthcare industry continues to see signs of significant risks to healthcare information systems. On March 1, 2022, HHS issued a warning stating, “Russia’s unprovoked attack on Ukraine has, as expected, spilled over into cyberspace,” providing specific information detailing Russia’s cyber capabilities.

So, what resources are available to help organizations stay abreast of current cybersecurity threats and vulnerabilities as well as understand which best practices to evaluate?

Information Sharing

The Cybersecurity Act of 2015 was created in part as an effort to promote information sharing by private companies for “cybersecurity proposes.” From the Act: A “cybersecurity purpose” is defined as “the purpose of protecting an information system or information that is stored on, processed by, or transiting an information system from a cybersecurity threat or security vulnerability.”

In the past, private companies were reluctant to share information for fear of civil or criminal liability. The Act authorizes private companies to share information with the federal government, and the Department of Homeland Security acts as a clearing house.

In addition to sharing potential threats and best practices, the Cybersecurity & Infrastructure Security Agency (CISA) has created a “Bad Practices” document, which includes the following examples:

1. Use of end-of-life software

• What version of Windows are you using?
• Do you have a plan for upgrading software that is nearing end-of-life support?

2. Use of known/default/fixed passwords

• Are you changing default system administrator passwords?
• Are you blocking the use of commonly used and easy-to-guess passwords?

3. Use of single-factor authentication for remote or administrative access

• Have you evaluated two-factor authentication?

4. Poor patching

• Are your security patches up to date?

Determine Your Risks and Vulnerabilities

The best way to identify your risks and vulnerabilities is to conduct a security risk analysis (SRA). If you have not completed your initial SRA, start today. There are many helpful resources available on the HHS website. A great starting point for any organization is to identify where your ePHI is stored, received, maintained or transmitted. Your asset inventory should include (but is not limited to) applications, laptops, desktops, external memory devices, multi-function machines with hard drives, and medical devices.

After finding your electronic protected health information (ePHI), start identifying your risks factors including threats and vulnerabilities. The National Institute of Standards and Technology defines a threat as the potential for a person or thing to exercise a specific vulnerability. Threats can be human (hacker) or nature (flood). A vulnerability is a flaw or weakness in your security program. Vulnerabilities are using an operating system that is no longer supported and receiving updates; lack of virus protection or encryption; a sprinkler head in your server room; or an error in the setup of access to ePHI. Identifying your risks before someone else identifies them can help you prevent a breach, many of which can be linked back to CISA’s Bad Practices document.

Vetted Cybersecurity Practices

In December 2021, HHS, through the Office of Chief Information Officer (OCIO) and Office of Information Security (OIS), launched a website for the HHS titled 405(d) Aligning Health Care Industry Security Approaches Program.

The 405(d) program aims to raise awareness, provide vetted cybersecurity practices, and move organizations toward consistency in mitigating the current most pertinent cybersecurity threats to the sector. It is in response to the Cybersecurity Information Sharing Act of 2015, which calls for “the timely sharing [of information by the government] with relevant Federal entities and non-Federal entities of cyber threat indicators, defensive measures, and information relating to cybersecurity threats.”

The primary publication provides vetted cybersecurity practices for healthcare organizations of all sizes. The “Health Industry Cybersecurity Practices: Managing Threats and Protecting Patients (HICP)” is divided into two separate technical volumes. One focuses on small healthcare organizations, while the other focuses on medium to large healthcare organizations.

The 405(d) Task Group identified five main cybersecurity threats:

1. Email Phishing
2. Ransomware
3. Loss of or Theft of Equipment
4. Insider, Accidental, or Intentional Data Loss
5. Attacks Against Connected Medical Devices

And 10 best practices*:

1. Email Protection Systems
2. Access Management
3. Asset Management
4. Vulnerability Management
5. Medical Device Security
6. Endpoint Protection Systems
7. Data Protection and Loss Prevention
8. Network Management
9. Incident Response
10. Cybersecurity Policies

*Each best practice includes practical tips for small organizations and medium/large organizations.

The 405(d) website also provides resources, products, videos, and tools that help raise awareness and provide cybersecurity best practices. Erik Decker, 405(d) Task Group Industry co-leader, stated, “This website is the first of its kind! It’s a unique space where the healthcare industry can access vetted cybersecurity practices specific to the [the healthcare & public health] sector on a federal government website.”

There are many valuable tools and resources and a long list of publications and other materials the group has produced; it is well worth checking out.

DeAnn Tucker (dtucker@cokergroup.com) is a senior manager at Coker Group.