Health Industry Cybersecurity Practices: New consensus practices and tools from HHS

The US Department of Health and Human Services (HHS) has produced a set of cybersecurity resources for healthcare provider organizations from small to large. The Cybersecurity Act of 2015, Section 405(d) mandated that HHS respond meaningfully to security threats to the health care sector. HHS created a multidisciplinary task force with the aim of raising awareness, providing “vetted cybersecurity practices,” and facilitating consistency within the health care sector in detecting, understanding, and mitigating cybersecurity threats.

The task force began convening meetings in 2017. The effort encompassed a large multistakeholder group of more than 150 cybersecurity and health care professionals who crafted the overall approach, created drafts, and then pilot tested the information selected to be included in the published documents. The published documents will be updated as information changes and new practices and threats emerge.

The HHS Cybersecurity Reports and Tools

So far, HHS has published four documents: an overview report of cybersecurity issues and practices, two technical volumes, and a toolkit. The documents focus on what the multiple stakeholders agreed via consensus to be the five most prevalent cybersecurity threats and the ten core cybersecurity practices. The practices in the documentation are voluntary, and utilize the NIST cybersecurity framework.

Health Industry Cybersecurity Practices: Managing Threats and Protecting Patients

The Health Industry Cybersecurity Practices report is an overview and a very good introduction for people who are new to cybersecurity, or who need a quick update on security in a health care environment. It covers the primary 5 threats the consensus group identified, which include email phishing, ransomware, loss or theft, insider attacks (accidental or intentional), and attacks against connected medical devices that may affect patient safety. The document explains the importance of security practices and provides context with real anecdotes.

One such example that stood out to me in the report was the description of an orthopedic practice breach. The practice announced that its computer system had been breached due to compromise of a software vendor’s log-in credentials. The breach affected almost a half-million people. Of those, the report states that: “500 patient profiles appeared for sale on the dark web. The information for sale included names, addresses, social security numbers, and other personally identifiable information (PII). Although not posted for sale, pertinent PHI such as X-ray results and medical diagnoses were also stolen.” (p. 8) This is the kind of health breach activity that can lead to identity theft, including medical forms of identity theft.

The overview report is 34 pages, and does a good job of visualizing and introducing concepts as well as contextualizing threats to the healthcare sector. The stakes for health care providers are high. For example, the report says that 4 in 5 physicians have experienced some form of a cybersecurity attack. (p.8). The focus is not on blaming or shaming the health care sector, but rather providing the reasons why cybersecurity is a concern for all, and discussing approaches and steps to take to begin to solve the problems.

Technical Volume I: Cybersecurity Practices Small Heath Care Organizations

Volume 1 of the technical discussion is crafted specifically for small health care organizations. While the overview report explains the general risk that smaller entities can experience from cybersecurity issues, Volume 1 discusses the specifics of what that means. Technical Volume I covers ten core cybersecurity practices and sub-practices for small health care organizations. The ten core practices are:

  • E-mail protection systems
  • Endpoint protection systems
  • Access management
  • Data protection and loss prevention • Asset management
  • Network management
  • Vulnerability management
  • Incident response
  • Medical device security
  • Cybersecurity policies

The discussions of threat scenarios are scaled to how a small organization might approach the threats. For email systems, the volume provides a chart of specific phishing techniques, for example, (p. 8) and other practical information about potential mitigation strategies. Volume I is 29 pages.

Technical Vol. II: Cybersecurity Practices for Large and Medium Health Care Organizations

Volume II, at 108 pages, focuses on the technical needs of medium and large health care organizations. Like Volume I for small health care organizations, Vol. II covers the practical implementation of core and sub-core cybersecurity practices, however, with advice specifically scaled for larger and medium entities. The ten core practices are the same for Volume I and II. (E-mail protection systems, Endpoint protection systems, Access management, Data protection and loss prevention, Asset management, Network management, Vulnerability management, Incident response, Medical device security, and Cybersecurity policies.)

The threat discussions of Technical Volume II are helpful and provide more specificity than the general introductory document, and tend to go into more technical depth than Volume I. For example, the email discussion in Volume II delves into details about specific threat scenarios, for example, email threats such as credential theft and malware dropper attacks. (p. 14), among other items.

Even though Volume II is geared toward large and medium organizations, smaller organizations could learn a great deal from reading both volumes, and vice versa.

Resources and Templates

In addition to the overview and technical volumes, there is a cybersecurity Resources and Templates document. This document includes items such as a glossary, a detailed visual of how the core practices map to the NIST framework, and risk assessment tools, among other items.

There is one additional document that is still in development, the Cybersecurity Practices Assessments Toolkit (Appendix E-1). This resource will be focused on facilitating organizations in cybersecurity prioritizing and planning. It will be available at HHS’s PHE page when complete.

Concluding Thoughts

Overall, the output of the task force is helpful for healthcare sector providers, from hospitals to small clinics to researchers to the full range of Business Associates. The documentation is based in reality, not conjecture, and the documents are not intended to sell any particular products for any particular vendor. This has allowed for a rich and helpful documentation of current challenges along with solutions.

There are certain additional discussions and topics I would have included in the documents, and the effort would have benefited from including privacy scholars and researchers who have spent time in the field, and those who have a lot of experience with patients who are victims of these incidents across a wide variety of settings. That being said, these documents and resources should be required reading for many if not most healthcare sector administrative personnel, and all IT security personnel who are working in the health care sector.

–Pam Dixon

Related Documents:

WPF Related Research:


Publication information:

Jan. 3, 2019 first publication.