Large health care organizations perform a range of different functions. These organizations may be integrated with other health care delivery organizations, academic medical centers, insurers that provide health care coverage, clearinghouses, pharmaceuticals, or medical device manufacturers. In most cases, large organizations have thousands of employees, maintain tens of thousands to hundreds of thousands of IT assets, and have intricate and complex digital ecosystems. Whereas smaller organizations operate using only a few critical systems, large organizations can have hundreds or thousands of interconnected systems with complex functionality.
The missions of large organizations are diverse and varied. They include providing standard general practice care, providing specialty or subspecialty care for complicated medical cases, conducting innovative medical research, providing insurance coverage to large populations of patients, supporting the health care delivery ecosystem, and supplying and researching new therapeutic treatments (such as drugs or medical devices).
Large organizations have missions that are broad in scope, and large volumes of assets may be necessary to fulfill such missions. Even so, they often struggle to obtain funding to maintain security programs and to control their assets (potentially resulting in shadow IT, rogue devices, and unmanaged/unpatched devices). Therefore, it is essential for large organizations to understand how sensitive data flow in and out of the organization, and to understand the boundaries and segments that determine the responsibilities of each entity.
Large organizations support their operations with complicated ecosystems of IT assets. All assets may have cybersecurity vulnerabilities, susceptible to cyber threats.
Not all assets are equally important; mission critical assets must always be fully operational, while less critical might be offline for days or weeks without harming the organization’s mission. Some assets, while not mission critical, may have large repositories of sensitive data that represent significant risk. In all cases, the organization uses IT assets for business reasons and should protect those assets with proper cyber hygiene controls.
• Devices used by the workforce, such as mobile phones, tablets, voice recorders, and laptop computers for dictation (all with internet connectivity).
• Personal devices , often referred to as BYOD
• Large deployments of IoT assets, including smart televisions and networked medical devices, printers, copiers, security cameras, refrigeration sensors, blood bank monitoring systems, building management sensors, and more.
• Applications or information systems that support the business processes. These may include human resource (HR) or enterprise resource planning (ERP) systems, pathology lab systems, blood bank systems, medical imaging systems, pharmacy systems, revenue cycle systems, supply chain or materials management systems, specialized oncology therapy systems, radiation oncology treatment systems, and data warehouses (e.g., clinical, financial).
• Assets related to the IT infrastructure, such as firewalls, network switches and routers, Wi-Fi networks (both corporate and guest), servers supporting IT management systems, and file storage systems (cloud-based or onsite).
• Applications or information systems that support the business processes. These may include human resource (HR) or enterprise resource planning (ERP) systems, pathology lab systems, blood bank systems, medical imaging systems, pharmacy systems, revenue cycle systems, supply chain or materials management systems, specialized oncology therapy systems, radiation oncology treatment systems, and data warehouses (e.g., clinical, financial). Personal devices, often referred to as bring your own device (BYOD), are generally not permitted in medium-sized organizations due to the organizations’ inability to implement dedicated security controls required to secure such devices.
In 2017, under the leadership of HHS, the Healthcare Industry Cybersecurity Task Force (HCIC) conducted a Healthcare Industry Cybersecurity Risk Assessment; the results were published in the Health Care Industry Cybersecurity Report. The Health and Public Health Coordinating Council Task Group responded to the findings and the Cybersecurity Act’s mandate to “Align Health Care Industry Security Approaches.”
The Task Group determined that it could not effectively identify every cybersecurity challenge across the large and complex U.S. health care industry. Therefore, the decision was made to focus on the most impactful threats, with the goal of significantly moving the cybersecurity needle for a broad range of organizations within the industry. The report identified the Top 5 Threats to large healthcare organizations:
The Department of Health and Human Services (HSS) recently published a common set of voluntary, consensus-based, and industry-led guidelines, best practices, methodologies, procedures, and processes to mitigate the risks resulting from the five top cybersecurity threats to small healthcare organizations.
Phishing attacks via email (a type of hacking attack) are the most common first point of unauthorized entry into an organization. The effectiveness of phishing attacks allows attackers to bypass most perimeter detections by “piggy backing” on legitimate workforce users. If an attacker obtains an employee’s password via phishing, and if that employee has remote access to the organization’s IT assets, the attacker has made significant progress toward penetrating the organization.
Endpoints are the assets the workforce uses to interface with an organization’s digital ecosystem; such as desktops, laptops, workstations, and mobile devices. Current cyber attacks target endpoints as frequently as networks; implementing baseline security measures on these assets provides a critical layer of threat management. As the modern workforce becomes increasingly mobile, it is essential for these assets to interface and function securely.
Health care organizations of all sizes need to clearly identify all users and maintain audit trails that monitor each user’s access to data, applications, systems, and endpoints. Just as a name badge may be required to identify persons in the physical work environment, cybersecurity access management practices can help ensure that users are properly identified in the digital environment, as well.
As an organization begins shoring up its data protection and prevention controls, it is best to begin by understanding the types of data that exist in the organization, setting a classification schema for these data, and then determining how the data are processed. Establish a set of policies and procedures for normal data use and then build in “guardrail” systems to guide your user base toward these business processes.
IT asset management (ITAM) is a foundation for all other cybersecurity practices and critical to ensuring that proper cyber hygiene controls are in place across all assets in the organization. ITAM processes should be implemented for endpoints, servers and networking equipment.
Computers communicate with other computers through networks. These networks are connected wirelessly or via wired connections (e.g., network cables), and networks must be established before systems can interoperate. Networks that are established in an insecure manner increase an organization’s exposure to cyber attack.
Proper cybersecurity hygiene ensures that networks are secure and that all networked devices access networks safely and securely. If network management is provided by a third-party IT support vendor, the organization must understand key aspects of proper network management for inclusion in contracts for these services.
Vulnerability management is the process used by organizations to detect technology flaws that hackers could exploit. This process uses a scanning capability, often provided by an her or IT support vendor, to proactively scan devices and systems in your organization. The ability to mitigate vulnerabilities before a hacker discovers them gives the organization a competitive edge and time to address these vulnerabilities in a prioritized fashion.
Maintaining detection and response capabilities requires establishing an IR program and an SOC to manage the IR, along with security engineering that enhances an organization’s ability to detect and respond to cyber attacks. A SOC is an organizational structure that leverages cybersecurity frameworks, people, tools, and processes to provide dedicated cybersecurity operations. SOCs are the areas within an organization that dedicate 100 percent of their time to cybersecurity prevention, detection, or response capabilities, providing the execution arm of cybersecurity IR.
As with all technologies, medical device benefits are accompanied by cybersecurity challenges. One emerging threat is the practice of hacking medical devices to cause harm by operating them in an unintended manner. For example, the 2015 document “How to Hack an Infusion Pump” describes how an infusion pump can be controlled remotely to modify the dosage of drugs, threatening patient safety and well-being.
Medical devices are essential to diagnostic, therapeutic and treatment practices. These devices deliver significant benefits and are successful in the treatment of many diseases. As technology advances and health care environments migrate to digitized systems, so do medical devices. For many reasons, it is highly desirable to interface medical devices directly with clinical systems.
Cybersecurity vulnerabilities are introduced when medical devices are connected to a network or computer to process required updates. Many medical devices are managed remotely by third-party vendors, which increases the attack footprint.
To set proper expectations, organizational policies should support stringent cybersecurity hygiene controls. With consistent training and enforcement, expectations are clearly expressed to the workforce.
These policies should be written for the various user audiences that exist in the organization, considering differences between the general workforce user, IT user, and high-profile or high-risk users (e.g., finance, HR, or health information management).