What do HHS’s latest cybersecurity guidelines mean for healthcare organizations?

What do HHS’s latest cybersecurity guidelines mean for healthcare organizations?


At the end of 2018, the US Department of Health and Human Services (HHS) released guidance on cybersecurity best practices for healthcare organizations. Like many in the healthcare industry, you may be asking, What’s in these guidelines? Why are they important? What do they mean for me and my organization?

About the Guidelines

These guidelines are the result of a collaboration between HHS and its industry partners, called the 405(d) Task Group (also known as Task Group-1F) within the Health Sector Coordinating Council’s Cyber Working Group. The HHS and the Task Group engaged with more than 150 healthcare and cybersecurity experts, as well as HHS government partners to gather feedback and generate and prioritize a set of cybersecurity recommendations for healthcare organizations.

The goal of these guidelines is to provide a collection of voluntary, consensus-based principles and practices to improve cybersecurity in the health sector. The guidelines obviously cannot cover every single cybersecurity challenge in healthcare, so they focus on the five most prevalent threats and suggest ten key best practices to help a broad range of healthcare organizations tangibly improve their cybersecurity posture.

Why the Guidelines are Important

The digital transformation of the healthcare industry to electronic health records (EHR) and connected devices has made it easier to automate care processes, share patient information, and more efficiently deliver patient care. However, it has also made health systems and information far more vulnerable to various forms of cyberattack that can directly impact healthcare businesses, as well as their partners and patients.

There are ample statistics that show healthcare organizations are increasingly targeted by cyberattacks and scrambling to implement adequate cybersecurity. For example, nearly 73% of healthcare organizations had a data breach in the past two years, though it is likely that not all data breaches have been discovered yet. Each of these coming with an average price tag per breach of $717,000 to $2.2 million. Breached organizations also ended up spending millions more in marketing to stem loss of business and to regain their reputation and patient trust. When all is said and done, the average annualized cost of cybercrime for a healthcare organization could be nearly $12.5 million per year.

Worryingly, in the face of all the cyberthreat headwinds, healthcare organizations are not keeping up with investments in cybersecurity. While global healthcare cybersecurity spending is expected to exceed $65 billion (yes, billion with a B) in aggregate, spending has remained relatively flat since 2016. Cross-industry 10-14% of IT budgets are dedicated to cybersecurity, but similar spending is only about 3% of IT budgets across healthcare organizations. Nearly half of healthcare organizations mark budget as a major roadblock to implementing proper cybersecurity.

In light of these statistics, the HHS saw the importance of releasing a publication that could foster awareness and help the healthcare industry move towards consistent industry-wide best practices with the most impact to mitigate cybersecurity threats.

What the Guidelines Mean for Healthcare Organizations

The HHS guidelines do not cover all types of cyber threats, but focus on the top five threats facing healthcare organizations:

  • E-mail phishing attacks – A fraudulent attempt to disguise a trustworthy entity, usually to capture user names, passwords, or credit card details, typically carried out when someone clicks a legitimate-looking link in an email or message.

  • Ransomware attacks – When attackers take control of an organization’s systems and data, holding them for ransom, often disrupting or interrupting the organization’s services.

  • Loss or theft of equipment or data – While loss or theft of equipment might not be a result of cyberattack, lost assets, if unprotected, can be exploited to gain confidential system credentials or data.

  • Insider, accidental or intentional data loss – When an employee or contractor, either maliciously or negligently, causes an instance of data loss or breach in privacy or security.

  • Attacks against connected medical devices – The proliferation of medical devices that are connected to networks, if not set up and managed properly, presents numerous attack vectors to exploit a system, disrupt or interrupt the organization’s service, potentially affecting patients who are connected to or using the devices.

With these top threats in mind, the guidance comes in multiple parts: a main document, two technical volumes, and an appendix.

The main document sets forth a call to action for the healthcare industry and discusses the threats and current state of cybersecurity in healthcare. The main document also provides many good examples and statistics behind the cyber threat to healthcare, with a high-level discussion on how to mitigate the risks, referring to practices further detailed in the technical documents.

The technical volumes serve as a guide for IT or IT security professionals on what to do and look for. One of the technical volumes is for small healthcare organization, while the other volume is for medium- and large-sized healthcare organizations.

Finally, the appendix has additional resources and useful references to supplement the other three documents.

Practical Guidance

The technical volumes provide guidance in the form of 10 effective cybersecurity practices to mitigate identified threats:

  1. Email protection systems

  2. Endpoint protection systems

  3. Access management

  4. Data protection and loss prevention

  5. Asset management

  6. Network management

  7. Vulnerability management

  8. Incident response

  9. Medical device security

  10. Cybersecurity policies

These practices are not meant to be a comprehensive solution, rather they are intended as recommendations as part of a healthy cybersecurity program. These practices help organizations assess cyber risk and organizational capabilities, share knowledge and drive policy, and help prioritize actions and investments around cybersecurity.

While these practices aren’t intended to introduce a new security framework, they align well with the current NIST cybersecurity framework of five steps to manage cyber threats: Identify, Protect, Detect, Respond, and Recover.

Owl Healthcare Cybersecurity

Here at Owl we’ve been focusing on how data diodes can help secure medical devices, healthcare networks, healthcare document sharing, telemedicine, and diagnostic image sharing. We read these guidelines with interest, because they also align well with our cybersecurity solutions.

The HHS guidelines address many of the practices and principles we advise our customers to follow when deploying data diodes, such as least privilege/functionality, network segmentation/segregation, network monitoring, and end-point protection. Indeed, for these practices, data diodes are a recommended solution in the Department of Homeland Security’s Seven Strategies to Defend Industrial Control Systems.

We also noted the HHS guidelines mentioned practices for medical device security, such as patch and asset management. Medical device security regularly is cited as a top-three cybersecurity concern for healthcare IT executives, and data diodes are especially adept at securing device networks, including medical devices, and particularly with legacy devices.

How IIoT and the Cloud are Upending the Purdue Model in Manufacturing

The Purdue Model of Control Hierarchy is a framework commonly used by manufacturers in pharmaceuticals, oil and gas, food and beverage, and other verticals to group enterprise and industr...
September 11, 2019
Gary McGibbon Business Development Manager - Financial Services

Capital One as a Canary in the Cloud Coal Mine: Part 3 – Conclusions

If the Capital One sysadmin had just changed the WAF password... In the final part of our blog series on the Capital One breach, I want to discuss the conclusions reached based on the vu...
August 15, 2019
Gary McGibbon Business Development Manager - Financial Services

Capital One as a Canary in the Cloud Coal Mine: Part 2 – Findings

"That is a pretty egregious oversight." In the second part of our three part series on the Capital One breach, I want to discuss the vulnerabilities and other elements that went into the...
August 13, 2019