Years ago, when I sat for my CISSP, I went into the exam carrying two bits of advice offered to me by a mentor:
#1. In matters of security, choose the most conservative path.
#2. Life safety above all else.
Critical infrastructure providers, and more specifically, the Healthcare and Public Health providers, have rightfully followed these bits of advice whenever possible.
However, in our effort to limit the potential impact on life-safety equipment, more often than not, we are forced to offer security consolations, merely trust the FDA guidance, and hope a given medical technology doesn’t provide some obscure vector into our protected environments - especially those environments purposed for patient care.
Fortunately, security solutions are evolving and adapting to provide security professionals deeper insight into these environments, and the full solution footprint, while simultaneously reducing the potential for impact against those same environments. The net result is we, security professionals, are quickly reaching a point where we can effectively build a security program around life-safety and patient care technologies.
But, how do we develop this strategy? Until now, there’s been a significant lack of comprehensive and consistent direction.
In an effort to solve this ongoing challenge, the U.S. Department of Health & Human Services, partnering with industry, published voluntary guidance entitled: “Health Industry Cybersecurity Practices (HICP): Managing Threats and Protecting Patients”. This guidance provides insight into five major threats to this industry, including the related threats to life safety, along with a list of highly effective mitigation strategies to address those same threats.
The 5 cybersecurity threats the HHS identifies that are impacting the HPH sector the most are:
1. E-mail phishing attacks
2. Ransomware attacks
3. Loss or theft of equipment or data
4. Insider, accidental or intentional data loss
5. Attacks against connected medical devices that may affect patient safety
We welcome this resource to the cybersecurity community to help provide industry-specific actionable guidance, and this guidance significantly closes the knowledge gap on what it takes to lay the foundation for a strong cybersecurity strategy in the healthcare industry.
As we work to build this foundation, leveraging the experience of other industry professionals, as provided in the publication mentioned above, becomes fundamental in maturing our own security strategies. Couple this with effectively leveraging our partners and providers, and we no longer have to offer the consolations we’ve had to offer in the past. The result being, we can effectively secure our healthcare environments while maintaining our keen focus on matters of life-safety and patient care.
- Health Industry Cybersecurity Practices: Managing Threats and Protecting Patients (HICP): The HICP examines cybersecurity threats and vulnerabilities that affect the healthcare industry. It explores (5) current threats and presents (10) practices to mitigate those threats.
- Technical Volume 1: Cybersecurity Practices for Small Health Care Organizations: Technical Volume 1 discusses the ten Cybersecurity Practices along with Sub-Practices for small health care organizations.
- Technical Volume 2: Cybersecurity Practices for Medium and Large Health Care Organizations: Technical Volume 2 discusses the ten Cybersecurity Practices along with Sub-Practices for medium and large health care organizations.
- Resources and Templates: The Resources and Templates portion includes a variety of cybersecurity resources and templates for end users to reference