New guidelines developed by leading experts offer practical ways to cost-effectively reduce cybersecurity risks.
Cybersecurity is on every healthcare organization’s list of top priorities for 2019; and last week, the U.S. Department of Health and Human Services (HHS) released “Health Industry Cybersecurity Practices (HICP): Managing Threats and Protecting Patients.” This four-volume publication provides guidance on voluntary cybersecurity practices for healthcare organizations of all types and sizes, ranging from local clinics to large hospital systems.
The industry-led effort was in response to a mandate set forth by the Cybersecurity Act of 2015 Section 405(d) to develop practical guidelines to cost-effectively reduce cybersecurity risks for the healthcare industry. The publication is the result of a two-year effort that brought together over 150 cybersecurity and healthcare experts from industry and the government under the Healthcare and Public Health (HPH) Sector Critical Infrastructure Security and Resilience Public-Private Partnership.
“Cybersecurity is everyone’s responsibility. It is the responsibility of every organization working in healthcare and public health. In all of our efforts, we must recognize and leverage the value of partnerships among government and industry stakeholders to tackle the shared problems collaboratively,” said Janet Vogel, HHS Acting Chief Information Security Officer.
Technology such as Electronic Health Records (EHRs) and computerized physician order entry software are essential to the healthcare industry and help improve patient care and outcomes. Not only are organizations using technology to collect and track data, but it is increasingly necessary to share protected health information (PHI) between settings, practitioners, payors, and others. While the ability to collect and share information is essential to patient care, these same technologies are vulnerable to more and more sophisticated attacks from cybercriminals, hackers, and others. These technologies can be exploited to gain access to personal patient data or render entire health systems inoperable. Recent cyber-attacks against the nation’s healthcare industry continue to highlight the importance of ensuring these technologies are safe and secure.
The HICP publication aims to provide cybersecurity practices for this vast, diverse, and open sector to ultimately improve the security and safety of patients. The main document of the publication explores the five most relevant and current threats to the industry: email phishing attacks, ransomware attacks, loss or theft of equipment or data, insider, accidental, or intentional data loss, and attacks against connected medical devices that may affect patient safety. It also recommends 10 cybersecurity practices to help mitigate these threats, including email and endpoint protection systems, access management, data protection and loss prevention, and incident response. In addition, it presents real-life events and statistics that demonstrate the financial and patient care impacts of cyber incidents. There also are two technical volumes geared for IT and IT security professionals.