New Cybersecurity Tools for the Health Care and Public Health Sectors
Cybersecurity is not simply a technical issue of interest only to information technology departments. Cybersecurity issues create risk throughout health care entities and must be managed as a core business risk; at a minimum, they impact patient safety, business continuity, reputations, regulatory compliance, and economics.
On 17 April 2023, the US Department of Health and Human Services (HHS) released three cybersecurity tools specific to the health care and public health (HPH) sector, namely, a cyber awareness document, cyber educational tools, and an industry risk analysis. These important resources are available here and are discussed below.
A. Health Industry Cybersecurity Practices (HICP) 2023 Edition
The HICP is intended to be a starting point for use within the HPH sector to implement basic cybersecurity practices. HHS describes this document as a foundational publication that aims to raise awareness of cybersecurity risks, provide best practices, and help set standards in mitigating the most pertinent cybersecurity threats to the sector. There are two separate technical volumes appended to the core document. One of the technical volumes is for use by small health care organizations, the second is for use by medium and large health care organizations. Both versions provide recommendations relating to Health Insurance Portability and Accountability Act (HIPAA) compliance.
The HIPAA Security Rule (the Security Rule) sets out standards that a HIPAA-covered entity must comply with. The Security Rule (at 45 C.F.R. § 164.306) provides for a flexible, scalable, and technology-neutral framework to allow all covered entities to comply in a manner that is consistent with the unique circumstances of their size and environment.
The HICP provides a series of cybersecurity practices designed by HHS to help prevent, react to, and recover from cybersecurity threats. The HICP technical volumes group these practices into “Sub Practices” for different sizes of organizations and provide guidance across the following areas:
- Email Protection Systems
- Endpoint Protection Systems
- Access Management
- Data Protection and Loss Prevention
- Asset Management
- Network Management
- Vulnerability Management
- Security Operation Centers and Incident Response
- Network Connected Medical Devices
- Cybersecurity Oversight and Governance Threat
B. Knowledge on Demand
The second tool provided by HHS is a new online educational platform, which provides training to improve cybersecurity awareness within health and public health organizations. This tool includes five training modules in the following five subject areas (which are intended to align with the top five cybersecurity threats discussed in the HICP):
- Social engineering
- Ransomware
- Loss or theft of equipment of data
- Accidental, intentional or malicious data loss
- Attacks against network-connected devices
The training materials are available as PowerPoint slides (along with presenters’ notes) and for use within a learning management system.
This training is intended for health care staff, security teams, and other departments that are on the front lines for protecting patient safety. The latter category may include board members charged with attention to risk issues.
C. Hospital Cyber Resiliency Initiative Landscape Analysis – PDF (the Landscape Analysis)
This Landscape Analysis document analyzes the current state of cybersecurity preparedness by domestic hospitals. It includes a review of hospitals participating in the study, benchmarked against standard cybersecurity guidelines such as HICP 2023 and the National Institute of Standards and Technology Cybersecurity Framework.
The analysis was created through the partnership co-led by the Health Sector Coordinating Council Cybersecurity Working Group and the Centers for Medicare & Medicaid Services. This partnership was convened to conduct a review to better understand the state of cybersecurity within US hospitals.
The Landscape Analysis includes a review of the active threats attacking hospitals and the cybersecurity capabilities of US hospitals. Included within the Landscape Analysis are the results of investigations into 1) the tactics and techniques that threat actors use to compromise hospitals and 2) the current state of participating hospitals’ cybersecurity resiliency (using the HICP as a framework).
The Landscape Analysis makes the following ten key observations, and provides detailed discussions with respect to the each:
- Directly targeted ransomware attacks aimed to disrupt clinical operations are an outsized and growing cyber threat to hospitals;
- Variable adoption of critical security features and processes, coupled with a continually evolving threat landscape, can expose hospitals to more cyberattacks;
- Hospitals report measurable success in implementing email protections, which is a key attack vector;
- Supply chain risk is pervasive for hospitals;
- Medical devices have not typically been exploited to disrupt clinical operations in hospitals;
- There is significant variation in cybersecurity resiliency among hospitals;
- The use of antiquated hardware, systems, and software by hospitals is concerning;
- Cybersecurity insurance premiums continue to rise;
- Securing cyber talent with requisite skills and experience is challenging; and
- Adopting HICP improves cyber resiliency.
Conclusion
Cybersecurity preparedness is a crucial component of managing risk in the modern health care system. The HICP 2023 resources should be reviewed by and incorporated into the cybersecurity programs of health care organizations of any size. We also recommend revisiting the role of your board with respect to cybersecurity in light of the 2022 comments from the US Cybersecurity & Infrastructure Security Agency, available here.
This publication/newsletter is for informational purposes and does not contain or convey legal advice. The information herein should not be used or relied upon in regard to any particular facts or circumstances without first consulting a lawyer. Any views expressed herein are those of the author(s) and not necessarily those of the law firm's clients.