HEALTH INDUSTRY CYBERSECURITY PRACTICES

Under the Cybersecurity Act of 2015 (CSA), Section 405(d) Congress established a common set of voluntary, consensus-based, and industry-led guidelines, best practices, methodologies, procedures, and processes that:

• cost-effectively reduce cybersecurity risks for a range of healthcare organizations,
• support voluntary adoption and implementation efforts to improve safeguards and are consistent with:
  • the standards, guidelines, best practices, developed under section 2(c)(15) of the NIST Act,
  • the security and privacy regulations under section 264© of the HIPAA Act, and
  • the provisions of the Health Information Technology for Economic & Clinical Health (HITECH) Act.

The Healthcare and Public Health Sector Coordinating Council and the Health Care Industry Cybersecurity Task Force were given the initiative to align healthcare industry security approaches.  The Task Force created the Health Industry Cybersecurity Practices: Managing Threats and Protecting Patients Publication to point out 10 “Recognized Security Practices” addressing the 5 Major Cybersecurity Threats to the Healthcare Industry.

A single cyber-attack has the potential to shut down care facilities, erase important patient health history, and put patient’s health and identity at risk.  In the event of a breach, HHS OCR will audit an organization’s compliance program.  Any deficiencies may result in civil monetary penalties. The only mitigating factor in determining the amounts are the organization’s documented compliance efforts proving these “recognized security practices” are in place at least 12 months prior to an incident.

Apart from the basic cybersecurity practices and protections, the human element is one of the most significant in securing an organization.  Good cybersecurity begins with developing and enforcing solid security policies.

The five main cybersecurity risks are:

1. Email Phishing and Spoofing or BEC (Business Email Compromise)
2. Ransomware
3. Attacks Against Connected Medical Devices
4. Insider, Accidental or Intentional Data Loss
5. Loss or Theft of Equipment or Data

The 10 Cybersecurity Practices are:

1. Email Protection Systems
2. Endpoint Protection Systems
3. Access Management
4. Data Protection and Loss Prevention
5. Asset Management
6. Network Management
7. Vulnerability Management
8. Incident Response
9. Medical Device Security
10. Cybersecurity Policies

Many solutions exist to address these practices with multiple layers of protection for each.  ESI can help you find the right solution for your organization’s scale and budget.

Basic Cybersecurity Protections your Organization Should Have in Place:

1. Up-to-date Software and Operating Systems that are regularly patched with security updates.
2. Firewalls – Network and Endpoints.
3. Centralized, Managed, and Monitored Antivirus on all Endpoints.
4. Email Security Service with Protection from Spoofing, Phishing, and Malware.
5. Access & Identity Management, Multi-Factor Authentication, and Credential or Password Security Policies.
6. Backups that are monitored for completion and regularly tested for integrity and restorability. Also consider Immutable Backups.

*Nothing in this document constitutes legal advice. Please seek qualified legal counsel familiar with HIPAA Compliance for any legal advice.