I’ve worked with healthcare organizations of all sizes for many years and questions are regularly asked about what the best controls framework is for building a cybersecurity program. Surprisingly, very little guidance related to cybersecurity has been provided by the government in the past years even though healthcare has been one of the prime targets of hackers. Stories of hacking, phishing, and malware/ransomware have been prevalent on almost a weekly basis. With the majority of healthcare organizations being understaffed and underfunded, efforts to develop a cybersecurity program have typically been done in a piecemeal fashion to meet the barebone requirements.
Roadmap for Developing & Improving Cybersecurity Programs
This week the Department of Health and Human Services (HHS) took a good first step by offering the healthcare industry with a roadmap for developing and improving their cybersecurity programs. A four-volume publication was released by HHS providing cybersecurity best practices to help improve and grow a healthcare organization’s preparedness for current and future cyber events. The HHS cybersecurity best practices are voluntary and were developed by a group of 150 experts within the healthcare and security industries along with representatives from a variety of government agencies. Realizing that healthcare organizations vary in size and capability, HHS chose to offer two technical volumes; one for small organizations and another for midsize to large organizations.
Utilizing the NIST Cybersecurity Framework
During the development of the HHS cybersecurity best practices, a decision was made to not develop a new security framework or set of controls, but to leverage the established NIST Cybersecurity framework. The cybersecurity framework provided by HHS maps to the controls established within the NIST Cybersecurity framework along with HIPAA controls and regulatory guidance from agencies such as the Centers of Medicare and Medicaid Services, the Office for Civil Rights, and the Food and Drug Administration. Realizing that smaller organizations may be developing a cybersecurity program from scratch and that larger organizations may be more mature, the controls/best practices within the HHS documents have been tiered in such a way that organizations of various sizes can begin or grow their cybersecurity program. The HHS best practice documents have been organized according to the top 10 most effective cybersecurity practices that was published by the HHS Cyber Task Force.
Key Areas of an Effective Cybersecurity Program
From a review of the HHS cybersecurity best practice documents, the following areas are highlighted as being key to the development of an effective cybersecurity program:
- The development of effective cybersecurity policies that can be integrated into an organization
- The use of multi-factor authentication for remote email access
- Development and testing of an effective incident response program that has buy-in from departmental end-users
- Use of effective data loss prevention technology that can be monitored
- Development of effective access management controls for the network and applications
- The implementation of effective network monitoring software/technology that allows for proactive alerts and the ability to perform analytics
- Development of effective medical device security controls that limit the introduction of potential vulnerabilities
- The implementation of a vulnerability management program (e.g. performance of monthly vulnerability scans) and the performance of third party penetration testing and remediation efforts
- A focus on endpoint security which involves the implementation of network segmentation and the consideration of virtualization
- The development of an effective asset management process that works in tandem with access management controls
- The establishment of an effective vendor management program that requires consideration of security and privacy when vetting technology vendors
With the topic of cybersecurity being front and center within the healthcare industry currently, HHS has provided a set of best practices that are integral in the development of an effective cybersecurity program. Though each healthcare organization may be in a different stage of program development, these documents provide a resource for management to assist in the establishment of effective controls that will allow organizations to reduce their risk footprint.