The U.S. Department of Health and Human Services (HHS) recently published voluntary cybersecurity best practices entitled “Health Industry Cybersecurity Practices: Managing Threats and Protecting Patients” (Best Practice Guide). These best practices were compiled over a two-year period by 150 cybersecurity and healthcare experts from both the public and private sector and are a cybersecurity roadmap for healthcare organizations of all types and sizes, from small local clinics to large regional hospital systems.
All entities, especially those in the healthcare field, can learn from this valuable resource.
The Four-Part Best Practice Guide
The Best Practice Guide is four sections: a main document (entitled Health Industry Cybersecurity Practices: Managing Threats and Protecting Patients); two technical volumes; and resources and templates. The Best Practice Guide’s goal is to increase awareness, provide sound practices, and consistently mitigate today’s most damaging cybersecurity threats in the healthcare industry.
Here’s a breakdown of the Best Practice Guide.
HICP explores today’s most common cybersecurity threats in healthcare. In particular, the HICP examines: (1) email phishing attacks, (2) ransomware attacks, (3) loss or theft of equipment or data, (4) insider, accidental or intentional data loss and (5) attacks against connected medical devices that may affect patient safety.
So, “How do I mitigate the five threats that were outlined in the HICP?” That answer is provided in these technical volumes which address the details needed to implement cybersecurity practices to minimize the impact of the identified 5 common threats.
Volume 1 provides cybersecurity practices for small healthcare organizations who have limited resources for managing their cybersecurity practices but are equally (and sometimes more) subject to cyberattacks. Volume 2 focuses on the same practices for medium to large-sized healthcare organizations.
Both volumes look at these ten practices to mitigate the common threats.
- E-mail protection systems
- Endpoint protection systems
- Access management
- Data protection and loss prevention
- Asset management
- Network management
- Vulnerability management
- Incident response
- Medical device security
- Cybersecurity policies
- Part Four: Resources and Templates
These materials are additional resources and references to supplement the HICP and Technical Volumes 1 and 2.
The Best Practice Guide is a great starting point for fundamental cybersecurity practices to implement in your organization. After reviewing the guide, you will have a solid understanding of modern cybersecurity threats, what makes them so effective, and how you can defend against them.
Your cyber insurance policy includes easy access to cybersecurity professionals. These professionals can help you not only implement the advice in the Best Practice Guide, but with all aspects of your organization’s cybersecurity and privacy programs. Access to these cybersecurity and privacy professionals has been prepaid by your insurance carrier and there is no charge to you!
To consult with these professionals, please email us at firstname.lastname@example.org.