The report, Health Industry Security Practices, came from a collaboration of more than 100 professionals in healthcare, cyber security, and privacy.
Rather than attempt to kill every cyber threat in one punch, the group focused on what it considers the five most significant threats in healthcare.
5 Biggest Cyber Threats in Healthcare
- E-mail phishing attacks
- Ransomware attacks
- Loss or theft of equipment or data
- Insider, accidental or intentional data loss
- Attacks against connected medical devices that may affect patient safety
The report also outlines 10 security practices to combat these threats in small businesses in healthcare, and separately in larger businesses.
We mined the recommended practices for small businesses and give you the highlights below.
Note: the report is broken in to four separate documents. You can learn more about it at the end of this post.
Practice #1. Email Protection Systems
Email is the most common channel used in successful cyber attacks. The recommendations fall into three categories.
Email system configuration
Do not allow free or consumer email systems for business use
- Scan and filter email for spam and viruses
- Deploy multi-factor authentication for email access
- Enable web filtering to block access to malicious websites (many phishing emails link to bad sites)
- Tag emails arriving from outside the organization as “EXTERNAL” (to raise user awareness)
- Add an email encryption module that allows users to send secure emails to protect sensitive info
- Give every employee a unique user account tied to a unique email address and do not allow them to be shared
- Deactivate accounts when a user leaves the organization
- Establish a training program for employees and be sure to cover phishing and other email-based attacks.
- Test users on their ability to recognize and report phishing attacks. Do this with regular mock-attacks. Many third party simulation tools can help.
Practice #2. Endpoint Protection Systems
Endpoints include workstations, mobile devices, printers, and others. While email attacks are one of the biggest threats against them, another is client-side attacks.
Rather than attacking a server, a client-side attack targets end-point vulnerabilities, such as an unpatched web browser on a workstation.
- Remove access to administrative accounts on endpoints. Only authorized personnel should be allowed to install programs or modify the system.
- Keep endpoints patched to remove known vulnerabilities. Patch automatically when possible.
- Deploy anti-virus software to protect against known malware
- Maintain endpoint encryption (i.e. full-disk encryption), especially for endpoints that can access the electronic health record (EHR) system
- Enable local firewalls on endpoints
- For remote access, require multifactor authentication.
Practice #3. Access Management
Access controls are critical to data security. Without a sound structure for managing and monitoring access to sensitive systems, securing those systems will remain an elusive dream.
- Create a unique account for each user
- Eliminate or limit the use of shared or generic accounts. If you cannot eliminate them, train users to sign out upon completion of a given activity or if they step away from a device, even for a moment. Passwords should be changed after each use.
- Practice the Principle of Least Privilege. Allow each user to access only systems required to perform his or her role, and only during times when access is necessary.
- Tailor access to the needs of each user. For example, most employees need access to the email server, but not to the accounting records.
- When an employee leaves the organization, terminate access to systems immediately.
- Automatically sign-out users and lock systems after a set period (e.g. 15 minutes)
- Implement single sign-on to centrally manage and monitor access to all software and tools once users sign into the network.
- Use multi-factor authentication for access to cloud-based systems that handle sensitive data (such as EHRs)
Practice #4. Data Protection & Loss Prevention
Although many of the recommendations made in this post could considered “data protection”, this section deals specifically with loss prevention policies, procedures, and training.
- Remind users of the highly sensitive nature of the data they use and the potential consequences of its misuse or mishandling.
- Create a data classification scheme (i.e. Sensitive, Internal, Public), and identify the types of data covered in each category.
- Require data stored on any device to be encrypted – including on thumb drives and mobile phones. Forbid the use of unencrypted storage.
- Following your data classification scheme, establish data usage procedures. Identify the users allowed to access sensitive data and the circumstances that allow such data to be accessed.
- Encrypt all PHI sent via email or text message. Use secure applications for these communications, such as Direct Secure Messaging (DSM) for secure emails.
- If possible, implement data loss prevention technologies to protect PHI. Here’s a list of DLP vendors and solutions.
- Do not allow data to be backed up to unmanaged storage devices or personal cloud services.
- Protect and monitor access to archived data, even if it’s used infrequently.
- Properly dispose of obsolete, outdated, or unneeded data.
- Do not store unnecessary data. Store only that which is needed for the organization to operate and comply with record storage requirements.
- Regularly train employees on how to comply with the policies and procedures. At a minimum, train annually on the most important aspects, such as data encryption and access controls.
Practice #5. Asset Management
To protect systems such as workstations, servers, and mobile devices – first you must be aware of their existence and role in the organization.
- Perform a full IT inventory. For small networks, this can be done with a simple spreadsheet. For each device, save information such as a unique asset ID, host name, IP address, cost, etc.
- Add newly purchased systems to the inventory when they are acquired.
- Establish a set of procedures for decommissioning equipment – including secure destruction – and ensure each destruction and/or decommissioning is recorded.
Practice #6. Network Management
The network is the circulatory system of the organization’s digital life. It must be secured.
- Following the Principle of Least Privilege, restrict devices on the network to accessing only the networks and systems required for their assigned tasks.
- Disallow all access to the network from the Internet.
- Identify assets with potentially high impact if compromised (such as medical devices, security cameras, and badge readers) and restrict access to them.
- Allow vendors and other third-party entities to connect to the network only through tightly controlled interfaces.
- Establish and enforce network traffic restrictions, such as with role-based controls that restrict user access to certain websites and applications.
- Create guest networks for public use. Test and ensure it is separated from private systems and can access only guest services.
Physical Security and Guest Access
- Physical access to network and server equipment should be restricted to IT professionals.
- Always lock data and network closets. Use card readers rather than traditional keys.
- Disable physical network ports that are not in use.
- Deploy a modern firewall that includes an intrusion prevention system. Choose one that updates automatically (such as AccessEnforcer UTM Firewall) and ensure the feature is activated.
Practice #7. Vulnerability Management
Hackers and cyber thieves often rely on vulnerabilities – i.e. security flaws – to exploit for their own ends.
A thoughtful and consistent program to detect, prioritize, and patch vulnerabilities is absolutely critical to protecting the organization’s data.
- Regularly perform vulnerability scans on critical systems, especially servers.
- Also scan public-facing services, such as patient portals, for vulnerabilities using a web application scanning tool
- Most scanners will “score” the flaws detected. Prioritize the vulnerabilities based on their level of severity
- Routinely patch flaws in servers, applications, and third-party software. Such maintenance should be performed at least monthly, and patches should be applied automatically if possible
Practice #8. Incident Response
Every organization will experience a data breach. The amount of time needed to detect the breach, and the ability of the organization to contain it, are major factors in the total damage caused.
It’s especially important to have a response plan before an attack occurs.
- Identify the person in charge of the response and ensure the person is authorized to execute all tasks necessary to investigate the incident.
- Create a list of likely cyber security events and the basic steps needed to respond to each
- Seek out and monitor notifications on cyber security threats, such as by joining an Information Sharing and Analysis Organization (ISAO) and subscribing to alerts from the S. Computer Emergency Readiness Team
Practice #9. Medical Device Security
Medical devices are a miracle of the modern age, helping to diagnose and treat a vast range of conditions.
Unfortunately, for many years, their rapidly advancing capabilities have outpaced their security practices. When the technology went digital, joined the network, and began to transmit sensitive data, security was often an afterthought.
The DHS report on healthcare cybersecurity does not make specific recommendations for security medical devices in small organizations. Instead, it points readers to the guidelines for larger organizations (shown below).
- Include medical devices in the organization’s programs for asset handling – such as for procurement, management, vulnerability management, decommissioning, etc.
- Medical devices should directly support anti-virus software. Ensure that an AV service is enabled on each device. If AV cannot be used, perform an AV scan any time the device is serviced
- Activate the device’s local firewall (if present). Ensure unused services and ports are disabled and the device can communicate with only required systems.
- Activate disk encryption (if present)
- Use application whitelisting to allow only known processes and executables to run on the device (where possible)
- Always change default passwords to long, complex, and unique ones.
- If possible, authentication on the device should bind with the organization’s authentication domain (so a terminated employee loses access immediately)
- If remote access is necessary, use multi-factor authentication.
Practice #10. Cybersecurity Policies
Every organization needs to create and clearly communicate its policies, procedures, and processes for cyber security. Otherwise, staff members and other stakeholders are left to guess which systems to protect and how.
Policies describe what is expected, and procedures describe how to meet those expectations.
More About the Report
The report, Health Industry Security Practices, is a result of the Cyber Security Act of 2015. The act required the Department of Health and Human Services (DHS) to create a task force to review and report on cyber security in healthcare.
Known as the CSA 405(d) Task Group, its more than 100 members cross roles such as cyber security, privacy, and healthcare. The group created a draft report in 2018, presented it to 120 stakeholders in healthcare for review, and published it in late December.
The “report” is comprised of four separate documents:
- Main Document – summarizes the major cyber security threats in healthcare and calls on the industry to do more to protect patients.
- Technical Volume 1 – recommended cyber security practices for small businesses in healthcare.
- Technical Volume 2 – recommended cyber security practices for medium- and large-sized business in healthcare.
- Resources & Templates Volume – additional material and references to supplement the other documents.
The 10 practices described in this post are found in Technical Volume 1.