Health Industry Cybersecurity Practices
Health Industry Cybersecurity Practices: Managing Threats and Protecting Patients (HICP 2023 Edition) outlines the top threats facing the HPH Sector. Developed with every stakeholder in mind, organizations from small to large can benefit from the resources and best practices provided in the main document and the additional two technical volumes. HICP aims to provide organizations with recommendations and best practices to prepare and fight against cybersecurity threats that can impact patient safety.
Do you want to start implementing HICP today in your organization? Begin your cyber resilience journey with our interactive “How-to” map and get started today!
Your Cybersecurity Roadmap
Click any step to see what to do next.
Have you heard about the top 5 threats facing the HPH sector?
Social Engineering
Social Engineering is an attempt to trick you into giving out personal information or infecting your device by clicking on a link to give hackers access to patient data. A common avenue for hackers is email phishing.
Real-World ScenarioYour employees receive a fraudulent email from a cyber-attacker disguised as an IT support person from your patient billing company. The email instructs your employees to click on a link to change their billing software passwords. An employee who clicks the link is directed to a fake login page, which collects that employee's login credentials and transmits this information to the attackers. The attacker then uses the employee's login credentials to access your organization's financial and patient data.
Ransomware
An attack that occurs when hackers gain control of data or a computer system and hold it hostage until a ransom is paid. This can put your patients in danger and prevent you from delivering care in a timely fashion.
Real-World ScenarioThrough an email that appears to have originated from a credit card company, a user is directed to a fake website and tricked into downloading a security update. The so-called security update is actually a malicious program designed to find and encrypt data, rendering them inaccessible. The program then instructs the user to pay a ransom to unlock or unencrypt the data.
Loss or Theft of Equipment or Data
Everyday devices such as laptops, smart phones, and USB/thumb drives are often lost or stolen and could end up in the hands of hackers. Make sure that you: never leave your laptop or computer unattended, always encrypt sensitive data that is on your device as a second line of defense, and notify your supervisor or IT professional immediately if your equipment is lost or stolen.
Real-World ScenarioA physician stops at a coffee shop for a coffee and to use the public Wi-Fi to review radiology reports. As the physician leaves the table momentarily to pick up his coffee, a thief steals the laptop. The doctor return to the table to find the laptop is gone.
Insider, Accidental or Malicious Data Loss
Insider threats exist within every organization where employees, contractors, or other users access the organization's technology infrastructure, network, or databases.
Real-World ScenarioAn attacker impersonating a staff member of a physical therapy center contacts a hospital employee and asks to verify patient data. Pretending to be hospital staff, the imposter acquires the entire patient health record.
Attacks Against Network Connected Medical Devices
Consider this: Your organization is afflicted by a phishing attack that affects a file server that's connected to multiple heart monitors. The attack gives the hacker complete control to power them off and on as they please.
Real-World ScenarioA cyber attacker gains access to a care provider's computer network through an email phishing attack and takes command of a file server to which a heart monitor is attached. While scanning the network for devices, the attacker takes control (e.g., power off, continuously reboot) of all heart monitors in the ICU, putting multiple patients at risk.
HICP's 10 Mitigating Practices
Email Protection Systems
The two most common phishing methods occur by email access: 1) Credential theft is where attackers leverage emails to conduct credential harvesting attacks on the organization. 2) Malware dropper attacks are used when attackers deliver malware through emails, which can compromise endpoints. An organization’s cybersecurity practices must address these two attack vectors. Because both attack types leverage email, email systems should be the focus for additional security controls.
Endpoint Protection Systems
An organization’s endpoints must be protected. Endpoints include desktops, laptops, mobile devices, and other connected hardware devices (e.g., printers, medical equipment). Because technology is highly mobile, computers are often connected to and disconnected from an organization’s network.
Identity and Access Management
Health care organizations of all sizes need to clearly identify all users and maintain audit trails that monitor each user’s access to data, applications, systems, and endpoints. Just as you may use a name badge to identify yourself in the physical work environment, cybersecurity access management practices can help ensure that users are properly identified in the digital environment, as well.
Data Protection and Loss Prevention
A security breach is the loss or exposure of sensitive data, including information relevant to the organization’s business and patient PHI. Impacts to the organization can be profound if data are corrupted, lost, or stolen.
IT Asset Management
Organizations manage IT assets using processes referred to collectively as IT asset management (ITAM). ITAM is critical to ensuring that the appropriate cyber hygiene controls are maintained across all assets in your organization
Network Management
Computers communicate with other computers through networks. These networks are connected wirelessly or via wired connections (e.g., network cables), and networks must be established before systems can interoperate. Networks that are established in an insecure manner increase an organization’s exposure to cyberattacks.
Vulnerability Management
Organizations manage IT assets using processes referred to collectively as IT asset management (ITAM). ITAM is critical to ensuring that the appropriate cyber hygiene controls are maintained across all assets in your organization
Security Operations Center & Incident Response
Incident response is the ability to discover cyberattacks on the network and prevent them from causing data breach or loss. Incident response is often referred to as the standard “blocking and tackling” of information security. Many types of security incidents occur on a regular basis across organizations of all sizes. Two common security incidents that affect organizations of all sizes are 1) the installation and detection of malware, and 2) phishing attacks that include malicious payloads (via attachments and links).
Network Connected Medical Device Security
Medical devices are essential to diagnostic, therapeutic and treatment practices. These devices deliver significant benefits and are successful in the treatment of many diseases. As with all technologies, medical device benefits are accompanied by cybersecurity challenges. Cybersecurity vulnerabilities are introduced when medical devices are connected to a network or computer to process required updates, therefore in order to protect patients it is important to protect these devices. Medical devices are a specialized type of Internet of Things (IoT) device and rather than recreating cybersecurity practices for them, healthcare organizations are encouraged to extend the relevant cybersecurity practices from each of the other prescriptions, and implement them appropriately for medical device management.
Cybersecurity Oversight and Governance
Establishing and implementing cybersecurity policies, procedures, and processes is one of the most effective means of preventing cyberattacks. They set expectations and foster a consistent adoption of behaviors by your workforce. With clearly articulated cybersecurity policies, your employees, contractors, and third-party vendors know which data, applications, systems, and devices they are authorized to access and the consequences of unauthorized access attempts.