Why Healthcare Security Is a Must
The increase in cyberattacks on healthcare organizations has exposed millions of patients’ sensitive information, causing significant financial and reputational damage. Furthermore, the alarming rate of cyberattacks in the healthcare sector highlights the urgent need for healthcare providers to review their data security measures and ensure the protection of their patients’ private information.
In this article, we will explore the challenges that small healthcare organizations face regarding cybersecurity, how the 405(d) Task Group is helping them reduce cybersecurity risks, and the role of the “Health Industry Cybersecurity Practices (HICP): Managing Threats and Protecting Patients” document in guiding organizations of all sizes in managing cybersecurity threats and protecting patient data. Additionally, we will discuss how to work towards better data security and the reasons why hackers target healthcare data in the first place.
Cybersecurity Continues to Challenge Small Healthcare Organizations
Small healthcare organizations often have limited resources for cybersecurity management but are still vulnerable to cyberattacks. These organizations are primarily focused on providing cost-effective healthcare services to patients, which involve the electronic sharing of clinical and financial information. They must comply with multiple legal and regulatory guidelines while often relying on third-party IT support and cloud service providers to maintain operations.
Introducing a New Security Frameworks Fit for Small Healthcare Organizations
The 405(d) Task Group was created by the HHS in response to the Cybersecurity Act of 2015 to help healthcare organizations reduce cybersecurity risks. The task group develops voluntary, consensus-based guidelines, best practices, and methodologies. The task group brought together stakeholders from across the healthcare industry, including healthcare providers, cybersecurity experts, and representatives from government agencies. The 405(d) Program supports healthcare organizations in implementing these practices to improve their cybersecurity posture and protect sensitive patient information from cyber threats.
Its main goal has been to create a practical set of guidelines to help healthcare organizations of all sizes better manage cybersecurity threats and protect patient data. These were published in the publication of the “Health Industry Cybersecurity Practices (HICP): Managing Threats and Protecting Patients” document, which provides a framework for implementing effective cybersecurity practices in the healthcare sector.
405(d) Health Industry Cybersecurity Practices (HICP): What is it?
The 405(d) Health Industry Cybersecurity Practices (HICP) emerged as a response to the outdated cybersecurity guidelines established by HIPAA in 1996. Understanding that cybersecurity requirements have vastly evolved over the years, the 405(d) HICP was designed to address the unique needs and capabilities of small, medium, and large healthcare organizations while arming them against growing cyber threats. In the wake of the coronavirus pandemic, it became vital to strengthen cybersecurity measures since healthcare professionals increasingly relied on digital systems, and breaches had the potential to compromise millions of records.
The HICP guidelines focus on ten practices that guard against the top threats identified by the HHS, such as email phishing attacks, ransomware attacks, and attacks on connected medical devices. These practices include email protection systems, endpoint protection systems, access management, data protection and loss prevention, asset management, network management, vulnerability management, incident response, medical device security, and cybersecurity policies. HICP is structured into one main document and two technical volumes. The main document details the top five threats and offers ten best practices to mitigate them, while the technical volumes provide guidance tailored to different organization sizes.
What type of healthcare organization can implement the 405(d) HICP?
Technical Volume 1 breaks down the ten practices for small healthcare organizations, making them easily implementable according to their size and capabilities. Technical Volume 2, on the other hand, outlines the ten cybersecurity practices suited for medium and large healthcare organizations. By offering prioritized and relevant practice guidance, 405(d) HICP allows healthcare organizations to align their cybersecurity measures with HIPAA and the NIST CSF, tailored specifically for the healthcare sector.
As healthcare organizations grow, evolve or experience changes, such as mergers or acquisitions, they can use the appropriate HICP technical volume to adapt and enhance their cybersecurity practices, ensuring continuous and effective protection against cyber threats.
Can the 405(d) audit help us approach NIST Compliance?
“Yes. A 405(d) audit is essentially an assessment based on the NIST framework that was designed by the HHS specifically for healthcare organizations. The 405(d) framework provides guidance on implementing risk-associated controls within organizations of different sizes—small, medium, and large. The suggestive requirements outlined for the medium and large organizations are quite similar; for small organizations there is a special set of suggestive requirements,” explained Rob.
Can the 405(d) audit help us approach HIPAA compliance?
“Absolutely, if you look at the security requirements for HIPAA, they include administrative, physical and technical safeguards. These same areas are covered within the 405(d) framework. It’s closely aligned with HIPAA and backed by the same regulatory bodies; the only difference between HIPAA and 405(d) is its prescriptive nature,” said Rob. “The 405(d) audit can serve as the base for your risk-based program and subsequent annual evaluations which is required to meet HIPAA compliance.”
Related article: the HITRUST RightStart Program Helps Startups Approach Compliance.
What can we expect about the 405(d) audit process?
“The process for preparing and undergoing a 405(d) audit is similar to most other frameworks. It’s most similar, I think, to a SOC 2 type I audit because it doesn’t cover a longer period of time for the testing scope. Instead, it looks at the ‘point in time’ and attests that a base-line level of controls is in place.”
What are the HHS guidelines for small healthcare organizations?
In Technical Volume 1, the HHS specifically provides simple and practical cybersecurity practices for small-sized healthcare entities that may not have dedicated IT and security department. The HICP document focuses on five key cybersecurity threats and provides 10 practices to mitigate them:
- E-mail Protection Systems – recommended practices for small healthcare organizations that rely on third-party email providers are divided into three categories: email system configuration, education, and phishing simulations.
- Email System Configuration – The article recommends several steps to enhance the security of your email system including choosing an email platform that specializes in healthcare, ensuring spam and antivirus software is installed and updated, using multifactor authentication (MFA), and configuring it to tag external messages and warn users to be cautious.
- Education – Staff should be educated on how to protect the organization against email-based cyberattacks, such as phishing and ransomware. Increasing understanding and awareness of potential threats is key to preventing incidents.
- Phishing Simulations – To raise awareness and train staff on identifying phishing emails, organizations can conduct phishing simulations. These simulations expose employees to realistic phishing scenarios, helping them recognize and avoid falling for actual phishing attempts.
- Endpoint Protection Systems – For small organizations, endpoint protection should cover desktops, laptops, mobile devices, and connected hardware devices. This includes auditing applications to limit administrative access only to authorized personnel and encrypting network access. Guidelines also address patching, antivirus configuration, endpoint encryption, MFA and enabling firewalls.
- Access Management – To manage user access and mitigate cyber threats, organizations should implement the following security controls: assigning unique user accounts, limiting the number of shared accounts, limiting privileges to the lowest level needed for each user, promptly terminating user access, and programming endpoints to lock and log-off after a set period of inactivity.
- Data Protection and Loss Prevention – Small organizations should implement loss prevention policies, procedures, and training to prevent data loss.
- Asset Management – ITAM should cover the lifecycle of each IT asset. For small organizations, this means:
- Inventory: Maintain a complete and accurate inventory of IT assets, including workstations, laptops, servers, portable drives, mobile devices, tablets, and smartphones.
- Procurement: Record each new IT asset as it is acquired and assign the responsibility of collecting information on new assets to a designated purchaser.
- Decommissioning: Decommission IT assets that are no longer functional or required following organizational procedures. Contract with an outside service provider specializing in secure destruction processes to ensure sensitive data is properly removed from devices.
- Network Security – For small organizations, proper cybersecurity hygiene should include:
- Network Segmentation: Configure networks to restrict access between devices, limit cyberattacks from spreading across the network, and control third-party entities’ access to separate networks.
- Physical Security and Guest Access: Restrict physical access to server and network equipment, keep data and network closets locked, disable unused network ports, and establish separate guest networks in conference rooms or waiting areas.
- Intrusion Prevention: Implement intrusion prevention systems (IPS) as part of your network protection plan. Use modern firewall technologies that include an IPS component to reduce vulnerability to known types of cyberattacks.
- Vulnerability management – this measure is essential for organizations to detect and address technology flaws that hackers could exploit. For small organizations, key vulnerability management practices include vulnerability scans, remediating vulnerabilities identified, web application scanning, and maintenance of server, application and third-party software security.
- Incident Response – Incident response is crucial for discovering cyberattacks on networks and preventing data breaches or loss. For small organizations, the key steps begin with developing and implementing an incident response plan that outlines the procedure for when events like malware downloads or phishing attacks occur. This volume also recommends becoming a member of a professional outlet, such as ISACs or ISAOs, for updated information on cyber threats and cyber intelligence.
- Medical Device Security – As technology advances, so too do the methods in which people can attempt to hack devices connected to clinical systems. This creates a heightened risk for human error as well as the labor burden it takes to constantly update and manage these devices. By having a better understanding of how these devices are interconnected, we can begin to take steps in developing more secure systems that protect against outside threats. Volume 2 provides more prescriptive advice on how to safeguard networks with connected medical devices.
- Cybersecurity Policies – Establishing and implementing cybersecurity policies, procedures, and processes sets expectations and promotes consistent adoption of behaviors by the workforce, contractors, and third-party vendors.
How Healthcare Providers Can Work Toward Better Data Security
If your company is a healthcare provider or works with healthcare organizations, then you will need to ensure that your information systems provide a set of protocols and controls that keep patients’ electronic health information secure. One of the best ways to work toward better data security is by having experienced IT professionals perform an audit to assess potential risks and vulnerabilities to the integrity, confidentiality, and availability of the Electronic Protected Health Information (ePHI) that you are collecting, storing, or processing.
A data security audit will help ensure that your organization is remaining compliant with HIPAA and HITECH standards to avoid any penalties. In addition, an audit can help your organization find any gaps in security or improvements that need to be made in order to remain compliant and protect your patient information from security breaches. By improving data security measures across the organization, your company will not only be able to reduce costs associated with cyber-attacks but also provide some reassurance to your patients and customers who entrust your company with their private health data.
Why do hackers target healthcare data?
Hackers have been making money by breaking into private healthcare databases and stealing sensitive information for years. This problem doesn’t seem to be going away anytime soon.
Some of the biggest healthcare data breaches in history have exposed millions of patients’ sensitive information, leading to significant financial and reputational damage for the affected organizations. For example, the Molina Healthcare breach affected 4.8 million patients, and hundreds of thousands of kids’ health records were stolen from pediatricians’ offices. This shows that healthcare providers need to do more to protect their patients’ data.
When it comes to protecting healthcare data, recent breaches have shown that we can’t be too careful. Many individuals and healthcare organizations may find themselves wondering what healthcare data they hold that might be dangerous when it ends up in the wrong hands. This is a good opportunity for healthcare providers to review their data security measures and make sure their patients’ private information is protected.
Healthcare data is a very profitable business for hackers. According to a recent report from Reuters, patients’ medical records are worth more to hackers than credit card data. Hackers can get $10 for each individual healthcare profile on the black market, which is about 10 to 20 times the amount of money they would receive for credit card information.
With a patient’s list of diagnoses and prescriptions, an individual can order costly medications or medical equipment and resell them for a profit. These hackers can file fraudulent insurance claims to get reimbursements or even use patient healthcare data to obtain free healthcare. Unlike most credit card companies, many healthcare providers are not as vigilant when monitoring this type of activity. This allows hackers to reap the benefits of the data for a longer period of time, sometimes even years.
Why is data security more critical than ever in healthcare?
Since healthcare data can be so lucrative for hackers, many healthcare companies and facilities have recently found themselves bombarded by cyber-attacks, which cost the U.S. healthcare system over $6 billion dollars each year. Many of these healthcare organizations are not prepared for these types of attacks, which puts their patient data at risk when a security breach occurs. One survey shows that 81% of healthcare providers and organizations have been subjected to these types of attacks over the past few years, indicating how ill-prepared many healthcare providers are regarding data security.
That is why it is vital for healthcare providers, facilities, and insurance companies to take every measure possible to protect patient information.
I.S. Partners Offers a Full Program for Healthcare
Does your healthcare organization have the proper safeguards in place to protect patient data? I.S. Partners provides audits for healthcare providers working under HIPAA, HITECH, and HITRUST standards to ensure that they are remaining compliant with federal regulations regarding healthcare data. Contact us via the website form to discuss your HIPAA-HITECH audit and report, including ways to improve operations in order to better protect private healthcare data.