Written by Guy McAllister, Director, Privacy & Security - iatricSystems
On October 27, 2015, Congress passed the Cybersecurity Information Sharing Act (CISA). Section 405 of CISA is specific to healthcare and charges Health and Human Services (HHS) with the responsibility of leading healthcare cybersecurity efforts, with the goal of keeping patient personal data secure.
Along with the charge to HHS, is the creation of a task force of healthcare industry leaders and cybersecurity experts to identify challenges and solutions in securing against cyber threats.
I have been privileged to be a small part of the Cybersecurity Information Sharing Act (CISA) Task Force and in late December 2018, Health and Human Services published “Health Industry Cybersecurity Practices: Managing Threats and Protecting Patients,” which is the work to date of this group.
The Task Group’s approach in creating the document:
The publication is comprised of a main document, two technical volumes, and appendices that include resources and templates. Technical volume 1 focuses on cybersecurity practices for small healthcare organizations, whereas, technical volume 2 is designed for medium to larger healthcare organizations.
There are five cybersecurity threats identified:
The technical volumes for large to small sized organizations detail ten “best practices” to mitigate these threats:
Multi-factor authentication and workforce education are recurring themes in the best practices against cybersecurity threats.
The question begging to be asked is, what are your best practices to address each of the five listed threats? Are those practices valid and tested (in line with the ten best practices in the publication)?
Whether nation-state actors, cyber criminals or hacktivists, hackers are making money from illegally obtained healthcare data. This data is sold on black markets to enable Medicare fraud and identity theft. These efforts are growing in number year after year. Here are some dollar facts from the publication on data breach cost per record:
The “Health Industry Cybersecurity Practices: Managing Threats and Protecting Patients” publication is both a call to action and a valuable resource tool.
You may be wandering in the wilderness of despair. A wilderness comprised of the constant cyber threats we must combat every day. If you are wandering, and wondering what you can do about securing your remote access, you are welcome to schedule a meeting with me to discuss solutions that will help.