japolia - Fotolia
A federal task group of cybersecurity experts and leaders spent two years working with healthcare organizations to craft a list of cybersecurity best practices.
"Health Industry Cybersecurity Practices: Managing Threats and Protecting Patients (HICP)," released in Dec. 2018, is a cybersecurity handbook that lists basic tools and practices healthcare organizations should use.
The College of Healthcare Information Management Executives (CHIME) and KLAS Research wanted to assess how aligned healthcare organizations are with the HICP cybersecurity recommendations. They found that most healthcare organizations, regardless of size, have established initial layers of defense against cyberattacks such as endpoint protection systems, but that smaller healthcare organizations are less likely to follow cybersecurity recommendations such as having a dedicated chief information security officer and governance, risk management and compliance committees.
The findings were released in a white paper that included an analysis of responses from more than 600 healthcare organizations that participated in CHIME's 2018 Most Wired survey.
According to David Finn, executive vice president of strategic innovation at security firm CynergisTek and a member of the federal task group, lack of financial resources is likely one of the main reasons why smaller organizations, described as having one to 50 beds in the white paper, are struggling to implement some of the cybersecurity recommendations. He said smaller organizations in remote areas may also struggle with a lack of skilled IT staff.
"A big organization has more resources both in terms of dollars and technical staff to address these kinds of things," Finn said.
A closer look at HICP
HICP identifies five major cybersecurity threats healthcare organizations face. It also highlights 10 main cybersecurity tools and practices that a healthcare organization should use regardless of size. They include:
- Email protection systems
- Endpoint protection systems
- Access management
- Data protection and loss prevention
- Asset management
- Network management
- Vulnerability management
- Incident response
- Medical device security
- Cybersecurity polices
HICP breaks down how healthcare organizations can approach and implement cybersecurity recommendations by the size of the healthcare organization. The HICP guidelines make cybersecurity recommendations based on available resources or lack thereof.
"Something that was very important through the whole process was we had a good mix that covered the provider community, the smalls, the mediums and the larges," said Erik Decker, chief security and privacy officer at University of Chicago Medicine and one of the main authors of the HICP guidelines. "We made sure that those voices were heard through the whole process so we weren't dominating it with the big players who have all the resources and money and people to handle all of the security stuff."
The task force took into account that smaller healthcare organizations often lack the resources of larger organizations for security initiatives, according to Decker. Making sure there were cybersecurity recommendations that even smaller organizations could implement was a crucial part of the guidelines, he said.
Three cybersecurity recommendations
While Decker recommended healthcare CIOs or other leaders in charge of security at smaller organizations read through the first 30 pages of HICP to get an understanding of how to implement good healthcare cybersecurity practices, he also provided a handful of tips for getting started:
- Follow assessment methodology
Decker suggested small healthcare organizations use the task group's recommended methodology to determine where and how they can start implementing healthcare cybersecurity practices. The methodology includes an Excel toolkit that enables organizations to prioritize the five threats: attacks against connected medical devices, loss or theft of equipment or data, email phishing attacks, ransomware attacks and insider, accidental or intentional data loss. The toolkit can help to indicate what cybersecurity best practice the organization should start with.
For example, if a healthcare organization rates phishing and ransomware as its biggest concerns, the toolkit will suggest email protection, such as flagging email messages from outside the organization as external or installing antivirus tools, as top cybersecurity recommendations.
Decker said the toolkit isn't available online yet, but organizations can reach out to the U.S. Department of Health and Human Services to receive it.
- Education and phishing simulations
The biggest cybersecurity threat smaller organizations face is likely a phishing-related attack. One way to combat phishing attacks is education and phishing simulations where IT tests the staff by "phishing your own people," Decker said. Phishing simulations use cheap, cloud-based tools to capture data and issue a report on who clicked the phishing link and who provided credentials. The program then offers training to those who fell prey to the simulation. Based on his experience at University of Chicago Medicine, Decker said phishing simulations work to decrease susceptibility. And, by making it a game rather than a punitive-type metric, the staff is more responsive to his efforts.
"When I walk through the halls of the medical center, I get people stopping me on the way saying, 'You didn't get me this time, Decker.' And I'm like, 'hey, great, I'm glad,'" he said.
- The internet is "dirty," so follow basic cyber hygiene rules
Decker described the internet as a dirty landscape. If a healthcare organization connects its computers to the network without safety precautions in place, an attack is inevitable, he said. It's important that healthcare organizations get past the "it's not going to happen to me" thinking. Healthcare CIOs need to find ways to install and maintain basic cybersecurity measures, such as having firewalls, encryption and properly secured medical devices, according to Decker.
"You wouldn't walk into a dirty bathroom with an open gash. That would be gross because it's highly likely to be infected," he said. "It's the same thing."