If you are in the health care industry, you might be aware of the voluntary cybersecurity guidance issued by Department of Health and Human Services (HHS) for health care industry. This guidance is aptly titled “Health Industry Cybersecurity Practices: Managing Threats and Protecting Patients” (aka HICP), as the key to “protecting patients and their data” is directly dependent on the organization’s ability to “managing threats”.
The letter from HHS Deputy Secretary included in the report explicitly mentions that cyber attacks are especially concerning for health sector, since these attacks can directly threaten not just the security of the systems but also the health and safety of American patients. The report in “Executive Summary” mentions the following:
“Given the increasingly sophisticated and widespread nature of cyber-attacks, the health care industry must make cybersecurity a priority and make the investments needed to protect its patients.”
The complete publication comprises of the following:
- Main document (which I refer to as the report in this blog) – Its purpose is to set forth a call to action for health care industry, especially executive decision makers, with the goal of raising general awareness of the issue.
- Technical Volume 1 – Provides 10 Cybersecurity practices intended for small health care organizations.
- Technical Volume 2 – Provides 10 Cybersecurity practices intended for medium-sized and large health care organizations.
The main document covers 5 threats as mentioned below:
- E-mail phishing attacks
- Ransomware attacks
- Loss or theft of equipment of data
- Insider, accidental or intentional data loss
- Attacks against connected medical devices that may affect patient safety
The technical volumes detail 10 practices to mitigate these threats, as below:
- E-mail protection systems
- Endpoint protection systems
- Access Management
- Data protection and loss prevention
- Asset management
- Network management
- Vulnerability management
- Incident response
- Medical device security
- Cybersecurity policies
Some interesting facts mentioned in the report:
- “4 in 5 US physicians have experience some form of a cybersecurity attack”
- “In 2017, cyber-attacks cost small and medium-sized business an average of $2.2 million”
- “$6.2 billion lost by US Health Care System in 2016 due to data breaches”
The report does an excellent job at explaining the difference between a threat and vulnerability by providing an healthcare analog. For each of the 5 threats covered in the report, details modeled using “Vulnerability → Threat → Practice” model.
Here is a snippet from the report explaining the “Vulnerability → Threat → Practice” model using “Influenza” as a threat:
Let us consider “Ransomware attack” threat to better understand things. One of the “vulnerabilities” that could lead to “ransomware attack” is “Unpatched software” and the recommended practice is “Patch software according to authorized procedures (7.S.A)”. In case you are wondering as to what “(7.S.A)” is? It is basically an index into the 10 cybersecurity practices advocated in the Technical Volumes accompanying the report.
The seventh practice in the Technical Volume refers to “Vulnerability Management”. Here is a snippet of what the “Vulnerability Management” practice implies to small, medium and large organizations:
Small healthcare organization
Medium healthcare organization
Large healthcare organization
ThreatWatch provides effective and superior vulnerability management capabilities which can be leveraged by healthcare organizations to improve their security posture to defend against cyber-attacks. ThreatWatch collects vulnerability intel from numerous sources and performs impact analysis on organization assets to help improve their security posture. ThreatWatch is differentiated from traditional vendors like Rapid7, Tenable, etc. in that we offer:
- Machine curated vulnerability intel coupled with zero-touch non-intrusive impact assessment done in near real-time to help reduce the window of compromise and improve security posture.
- Pro-active rather than Re-active model for security with no need for periodic scheduled scans.
To know more about our Vulnerability Management as a Managed Service (VMMS), please contact us at: info@threatwatch.io