The four-volume publication provides voluntary information security practices to health care organizations ranging from small local clinics to large hospital systems
The U.S. government’s Department of Health and Human Services (HHS) late last month unveiled a four-volume publication crafted to provide voluntary infosec best practices to health care organizations looking to improve the security and safety of patients and their data.
The Lowdown: The publication, titled “Health Industry Cybersecurity Practices (HICP): Managing Threats and Protecting Patients,” covers the most prevalent threats encountered in health IT and includes a list of security practices to mitigate them. Volume one of the publication details controls to combat phishing, ransomware, insider threats, hardware theft, attacks targeting embedded and connected devices, and accidental data loss.
The Details: In addition to the list of threats and controls, the publication includes case studies and and statistics to highlight the financial and patient-care implications of attacks and breaches. The HICP also features separate technical sections specifically geared for small health care organizations and large medical facilities, as well as resources and templates for assessing infosec posture and developing security policies.
The Impact: In the coming months, HHS will work with industry stakeholders, including IT service providers serving the health care vertical, to raise awareness and implement the recommended security practices, agency officials said.
Background: The publication is the result of a two-year effort that brought together more than 150 infosec and health care experts under HHS’ Healthcare and Public Health Sector Critical Infrastructure Security and Resilience Public-Private Partnership. The publication is part of a mandate included in the federal government’s Cybersecurity Act of 2015 — specifically, the portion of the act calling for the development of practical guidelines to mitigate security risks in health care.
The Buzz: ‘Cybersecurity is everyone’s responsibility. It is the responsibility of every organization working in health care and public health. In all of our efforts, we must recognize and leverage the value of partnerships among government and industry stakeholders to tackle the shared problems collaboratively,” said Janet Vogel, acting Chief Information Security Officer at HHS.
“The health care industry is truly a varied digital ecosystem. We heard loud and clear through this process that providers need actionable and practical advice, tailored to their needs, to manage modern cyberthreats,” said Erik Decker, industry co-lead and Chief Information Security and Privacy Officer for the University of Chicago Medicine. “That is exactly what this resource delivers … recommendations stratified by the size of the organization, written for both the clinician as well as the IT subject matter expert.”
Channelnomics Point of View: Technology is inarguably vital to modern health care, with myriad life-saving treatments dependent on cutting-edge approaches to patient care. As medicine increasingly relies on technology, however, the implications of attacks on data integrity, availability, and confidentiality grow more dire. Despite the high stakes, health care organizations continue to struggle with basic security controls even as attacks grow more sophisticated. The gap in infosec capabilities creates opportunities for the channel, but only if IT service providers are up to the task of addressing the specialized security needs in health care.
Perhaps the most important part of the HICP is its call to action for health care executives, practitioners, and IT providers to embrace the concept that “protective and preventive measures must be taken now.” At the least, the HHS document helps set a baseline approach to safeguarding these vital organizations.