In its most recent cybersecurity initiative, the U.S. Department of Health and Human Services (HHS) has released Health Industry Cybersecurity Practices: Managing Threats and Protecting Patients, described as a set of “practical, understandable, implementable, industry-led, and consensus-based” voluntary cybersecurity guidelines, including best practices, methodologies, procedures, and processes, and intended to reduce cybersecurity risks for health care organizations of all kinds.  The guidance consists of a main document, two volumes of technical information, and resources and templates.

The guidelines are the work product of a task group of HHS government partners and more than 150 healthcare and cybersecurity experts that set out in May 2017 to align health care industry security approaches pursuant to The Cybersecurity Act of 2015 (CSA) with three stated goals: (1) cost-effectively reduce cybersecurity risks for a range of health care organizations; (2) support the voluntary adoption and implementation of its recommendations; and (3) ensure, on an ongoing basis that content is actionable, practical, and relevant to health care stakeholders of every size and resource level.

Notably, Health Industry Cybersecurity Practices: Managing Threats and Protecting Patients does not “reinvent the wheel.”  Instead, the guidance identifies five current cybersecurity threats followed by ten practices that are consistent with the foundational NIST Cybersecurity Framework, illustrating how the health sector specifically can achieve each function of the NIST Cybersecurity Framework: Identify, Protect, Detect, Respond, and Recover.  The guidance explores the following threats in detail, in addition to providing “Threat Quick Tips” and a table of vulnerabilities, potential impacts on the organization, and “Practices to Consider” for each:

1. E-mail phishing attacks;
2. Ransomware attacks;
3. Loss or theft of equipment or data;
4. Insider, accidental or intentional data loss; and
5. Attacks against connected medical devices that may affect patient safety.

Technical volumes address the following ten corresponding practices to mitigate these threats:

1. E-mail protection systems
2. Endpoint protection systems
3. Access management
4. Data protection and loss prevention
5. Asset management
6. Network management
7. Vulnerability management
8. Incident response
9. Medical device security
10. Cybersecurity policies

These practices are intended to enable small, medium, and large organizations to strengthen cybersecurity capabilities by effectively and reliably evaluating and benchmarking cybersecurity capabilities, improving cybersecurity competency by sharing knowledge, common practices, and appropriate references across the sector, and prioritizing actions and investments.  The guidance itself does not prioritize the practices.  Rather, the guidance provides flexibility for an organization to determine the needs of its unique security landscape (e.g., through a risk assessment). 

Technical Volume 1 contains the ten practices and sub-practices specific to small organizations, whereas Technical Volume 2 contains the ten practices, sub-practices specific to medium organizations, and sub-practices specific to large organizations.  For example, the “incident response” practice includes incident response and ISAC/ISAO participation sub-practices for small organizations but additionally includes a security operations center sub-practice for medium organizations and advanced security operations centers, advanced information sharing, incident response orchestration, baseline network traffic, user behavior analytics, and deception technologies sub-practices for large organizations.

Overall, Health Industry Cybersecurity Practices: Managing Threats and Protecting Patients provides an excellent primer on current threats, impacts, and mitigations, as well as suggested controls for small, medium, and large organizations but does not address mandatory controls the regulators will be auditing them against.  Like many legislatively-mandated efforts, much of the guidance summarizes that which already exists.  However, small organizations may find the technical volumes and resources and templates useful in justifying necessary improvements that address the most common threats against health care systems.

The guidance represents a break with the past in that it is “best practice”-based rather than risk-based.  Many health care organizations lack the necessary knowledge, skill, ability, and experience to assess “risk” but know what practices are effective and efficient.  That said, best practices this year are likely to be very different from best practices in 2018, much less in 2015.  Specifically, “least privilege” access control, strong authentication, end-to-end application layer encryption, improved (not to say novel) backup and recovery strategies, and early attack and breach detection will be necessary to address the more organized and hostile 2019 threat profile.