On October 27, 2015, Congress passed the Cybersecurity Information Sharing Act (CISA). Section 405 of CISA is specific to healthcare and charges Health and Human Services (HHS) with the responsibility of leading healthcare cybersecurity efforts, with the goal of keeping patient personal data secure.
Along with the charge to HHS, is the creation of a task force of healthcare industry leaders and cybersecurity experts to identify challenges and solutions in securing against cyber threats.
I have been privileged to be a small part of the Cybersecurity Information Sharing Act (CISA) Task Force and in late December 2018, Health and Human Services published “Health Industry Cybersecurity Practices: Managing Threats and Protecting Patients,” which is the work to date of this group.
The Task Group’s approach in creating the document:
- Examine current cybersecurity threats affecting the Healthcare and Public Health sector
- Identify specific weaknesses that make organizations more vulnerable to the threats
- Provide selected practices that cybersecurity experts rank as the most effective to mitigate the threats
The publication is comprised of a main document, two technical volumes, and appendices that include resources and templates. Technical volume 1 focuses on cybersecurity practices for small healthcare organizations, whereas, technical volume 2 is designed for medium to larger healthcare organizations.
There are five cybersecurity threats identified:
- Email phishing attacks
- Ransomware attacks
- Loss or theft of equipment or data
- Insider, accidental or intentional data loss
- Attacks against connected medical devices that may affect patient safety
The technical volumes for large to small sized organizations detail ten “best practices” to mitigate these threats:
- E-mail protection systems
- Email encryption
- Multifactor authentication
- Workforce education
- Endpoint protection systems
- Access management
- Multifactor authentication for remote access
- Data protection and loss prevention
- Asset management
- Network management
- Vulnerability management
- Incident response
- Medical device security
- Cybersecurity policies
Multi-factor authentication and workforce education are recurring themes in the best practices against cybersecurity threats.
- Are you using an ongoing education plan to keep your workforce aware and trained?
- Have you deployed multi-factor authentication for network access – especially remote access?
The question begging to be asked is, what are your best practices to address each of the five listed threats? Are those practices valid and tested (in line with the ten best practices in the publication)?
Whether nation-state actors, cyber criminals or hacktivists, hackers are making money from illegally obtained healthcare data. This data is sold on black markets to enable Medicare fraud and identity theft. These efforts are growing in number year after year. Here are some dollar facts from the publication on data breach cost per record:
- Health industry $408
- Financial industry $206
- Technology industry $170
- Education industry $160
- Commerce industry $128
The “Health Industry Cybersecurity Practices: Managing Threats and Protecting Patients” publication is both a call to action and a valuable resource tool.
You may be wandering in the wilderness of despair. A wilderness comprised of the constant cyber threats we must combat every day. If you are wandering, and wondering what you can do about securing your remote access, you are welcome to schedule a meeting with me to discuss solutions that will help.