Large health care organizations perform a range of different functions. These organizations may be integrated with other health care delivery organizations, academic medical centers, insurers that provide health care coverage, clearinghouses, pharmaceuticals, or medical device manufacturers. In most cases, large organizations have thousands of employees, maintain tens of thousands to hundreds of thousands of IT assets, and have intricate and complex digital ecosystems. Whereas smaller organizations operate using only a few critical systems, large organizations can have hundreds or thousands of interconnected systems with complex functionality.

The missions of large organizations are diverse and varied. They include providing standard general practice care, providing specialty or subspecialty care for complicated medical cases, conducting innovative medical research, providing insurance coverage to large populations of patients, supporting the health care delivery ecosystem, and supplying and researching new therapeutic treatments (such as drugs or medical devices).

Large organizations have missions that are broad in scope, and large volumes of assets may be necessary to fulfill such missions. Even so, they often struggle to obtain funding to maintain security programs and to control their assets (potentially resulting in shadow IT, rogue devices, and unmanaged/unpatched devices). Therefore, it is essential for large organizations to understand how sensitive data flow in and out of the organization, and to understand the boundaries and segments that determine the responsibilities of each entity.


Large organizations operate in a legal and regulatory environment that is as complicated as their digital ecosystems. It includes but not limited to the following:
  • ONC Certified Electronic Health Information Technology interoperability standards
  • Multiple obligations under the FDA
  • The Joint Commission accreditation processes
  • HIPAA/HITECH requirements
  • Minimum Acceptable Risk Standards for payers
  • State privacy and security rules
  • Federal Information Security Modernization Act requirements as incorporated into federal contracts and research grants through agencies such as the National Institutes of Health
  • Payment Card Industry Data Security Standard (PCI-DSS)
  • SAMHSA requirements
  • The Gramm-Leach-Bliley Act for financial processing
  • The Stark Law as it relates to providing services to affiliated organizations
  • FERPA for institutions that participate in higher education
  • GINA
  • The new GDPR in the European Union


IT Assets Used by Large Organizations

Large organizations support their operations with complicated ecosystems of IT assets. All assets may have cybersecurity vulnerabilities, susceptible to cyber threats.

  • There are three important factors in understanding how to secure assets:

  • (1) Their relationship within the organization’s IT ecosystem
  • (2) How the workforce leverages and uses the assets
  • (3) The data generated, stored, and processed within those assets


Not all assets are equally important; mission critical assets must always be fully operational, while less critical might be offline for days or weeks without harming the organization’s mission. Some assets, while not mission critical, may have large repositories of sensitive data that represent significant risk. In all cases, the organization uses IT assets for business reasons and should protect those assets with proper cyber hygiene controls.

Devices used by the workforce, such as mobile phones, tablets, voice recorders, and laptop computers for dictation (all with internet connectivity).

Personal devices , often referred to as BYOD

Large deployments of IoT assets, including smart televisions and networked medical devices, printers, copiers, security cameras, refrigeration sensors, blood bank monitoring systems, building management sensors, and more.

Applications or information systems that support the business processes. These may include human resource (HR) or enterprise resource planning (ERP) systems, pathology lab systems, blood bank systems, medical imaging systems, pharmacy systems, revenue cycle systems, supply chain or materials management systems, specialized oncology therapy systems, radiation oncology treatment systems, and data warehouses (e.g., clinical, financial).

Assets related to the IT infrastructure, such as firewalls, network switches and routers, Wi-Fi networks (both corporate and guest), servers supporting IT management systems, and file storage systems (cloud-based or onsite).

Applications or information systems that support the business processes. These may include human resource (HR) or enterprise resource planning (ERP) systems, pathology lab systems, blood bank systems, medical imaging systems, pharmacy systems, revenue cycle systems, supply chain or materials management systems, specialized oncology therapy systems, radiation oncology treatment systems, and data warehouses (e.g., clinical, financial). Personal devices, often referred to as bring your own device (BYOD), are generally not permitted in medium-sized organizations due to the organizations’ inability to implement dedicated security controls required to secure such devices.



Cybersecurity Threats

In 2017, under the leadership of HHS, the Healthcare Industry Cybersecurity Task Force (HCIC) conducted a Healthcare Industry Cybersecurity Risk Assessment; the results were published in the Health Care Industry Cybersecurity Report. The Health and Public Health Coordinating Council Task Group responded to the findings and the Cybersecurity Act’s mandate to “Align Health Care Industry Security Approaches.”

The Task Group determined that it could not effectively identify every cybersecurity challenge across the large and complex U.S. health care industry. Therefore, the decision was made to focus on the most impactful threats, with the goal of significantly moving the cybersecurity needle for a broad range of organizations within the industry. The report identified the Top 5 Threats to large healthcare organizations:



HHS Top 5 Threats for large healthcare organizations
  • 1. E-mail phishing attacks
  • 2. Ransomware attacks
  • 3. Loss or theft of equipment or data
  • 4. Insider, accidental or intentional data loss
  • 5. Attacks against connected medical devices that may affect patient safety


Mitigation Practices

The Department of Health and Human Services (HSS) recently published a common set of voluntary, consensus-based, and industry-led guidelines, best practices, methodologies, procedures, and processes to mitigate the risks resulting from the five top cybersecurity threats to small healthcare organizations.



Mitigation Practice #1: E-mail Protection Systems

Phishing attacks via email (a type of hacking attack) are the most common first point of unauthorized entry into an organization. The effectiveness of phishing attacks allows attackers to bypass most perimeter detections by “piggy backing” on legitimate workforce users. If an attacker obtains an employee’s password via phishing, and if that employee has remote access to the organization’s IT assets, the attacker has made significant progress toward penetrating the organization.

Targets
  • E-mail phishing attacks
  • Ransomware attacks
  • Insider, accidental or intentional data loss

Cyber Tygr solutions focus on:
  • Basic E-mail protection controls
  • Multifactor authentication for remote access
  • E-mail encryption
  • Workforce education
  • Advanced and Next-Generation Tooling
  • Digital Signatures
  • Analytics Driven Education


Mitigation Practice #2: Endpoint Protection Systems

Endpoints are the assets the workforce uses to interface with an organization’s digital ecosystem; such as desktops, laptops, workstations, and mobile devices. Current cyber attacks target endpoints as frequently as networks; implementing baseline security measures on these assets provides a critical layer of threat management. As the modern workforce becomes increasingly mobile, it is essential for these assets to interface and function securely.

Targets
  • Ransomware attacks
  • Loss or theft of equipment or data

Cyber Tygr solutions focus on:
  • Basic endpoint protection controls
  • Automate the provisioning of endpoints
  • Mobile device management
  • Host based intrusion detection/prevention systems
  • Endpoint detection response
  • Application whitelisting
  • Micro-segmentation/virtualization strategies


Mitigation Practice #3: Access Management

Health care organizations of all sizes need to clearly identify all users and maintain audit trails that monitor each user’s access to data, applications, systems, and endpoints. Just as a name badge may be required to identify persons in the physical work environment, cybersecurity access management practices can help ensure that users are properly identified in the digital environment, as well.

Targets
  • Attacks against connected medical devices affecting patient safety
  • Ransomware attacks
  • Insider data loss, accidental or intentional

Cyber Tygr solutions focus on:
  • Identification and authentication
  • Provisioning, transfers, de-provisioning procedures
  • Multi-factor authentication for remote access
  • Federated Identiy Management
  • Authorization
  • Access Governance
  • Single-Sign On


Mitigation Practice #4: Data Protection and Loss Prevention

As an organization begins shoring up its data protection and prevention controls, it is best to begin by understanding the types of data that exist in the organization, setting a classification schema for these data, and then determining how the data are processed. Establish a set of policies and procedures for normal data use and then build in “guardrail” systems to guide your user base toward these business processes.

Targets
  • Loss or theft of equipment or data
  • Ransomware attacks
  • Insider data loss, accidental or intentional

Cyber Tygr solutions focus on:
  • Classification of data
  • Data use procedures
  • Data security
  • Backup strategies
  • Advanced data loss prevention
  • Mapping of data flows


Mitigation Practice #5: Asset Management

IT asset management (ITAM) is a foundation for all other cybersecurity practices and critical to ensuring that proper cyber hygiene controls are in place across all assets in the organization. ITAM processes should be implemented for endpoints, servers and networking equipment.

Targets
  • Attacks against connected medical devices affecting patient safety
  • Loss or theft of equipment or data
  • Ransomware attacks
  • Insider data loss, accidental or intentional

Cyber Tygr solutions focus on:
  • Inventory of endpoints and servers
  • Procurement
  • Secure storage for inactive devices
  • Decommissioning assets


Mitigation Practice #6: Network Management

Computers communicate with other computers through networks. These networks are connected wirelessly or via wired connections (e.g., network cables), and networks must be established before systems can interoperate. Networks that are established in an insecure manner increase an organization’s exposure to cyber attack.

Proper cybersecurity hygiene ensures that networks are secure and that all networked devices access networks safely and securely. If network management is provided by a third-party IT support vendor, the organization must understand key aspects of proper network management for inclusion in contracts for these services.

Targets
  • Attacks against connected medical devices affecting patient safety
  • Loss or theft of equipment or data
  • Ransomware attacks
  • Insider data loss, accidental or intentional

Cyber Tygr solutions focus on:
  • Network profiles and firewalls
  • Network segmentation
  • Micro-segmentation
  • Intrusion prevention systems
  • Web proxy protection
  • Physical security of network devices
  • Command and Control
  • Monitoring of perimeter
  • Anomalous network monitoring and analytics
  • Network based sandboxing/malware execution
  • Network access control


Mitigation Practice #7: Vulnerability Management

Vulnerability management is the process used by organizations to detect technology flaws that hackers could exploit. This process uses a scanning capability, often provided by an her or IT support vendor, to proactively scan devices and systems in your organization. The ability to mitigate vulnerabilities before a hacker discovers them gives the organization a competitive edge and time to address these vulnerabilities in a prioritized fashion.

Targets
  • Attacks against connected medical devices affecting patient safety
  • Loss or theft of equipment or data
  • Ransomware attacks
  • Insider data loss, accidental or intentional

Cyber Tygr solutions focus on:
  • Host/server based scanning
  • Web application scanning
  • System placement and data classification
  • Patch management, configuration management & change management
  • Penetration testing
  • Remediation planning


Mitigation Practice #8: Security Operations Center (SOC) & Incident Response
Response (IR)

Maintaining detection and response capabilities requires establishing an IR program and an SOC to manage the IR, along with security engineering that enhances an organization’s ability to detect and respond to cyber attacks. A SOC is an organizational structure that leverages cybersecurity frameworks, people, tools, and processes to provide dedicated cybersecurity operations. SOCs are the areas within an organization that dedicate 100 percent of their time to cybersecurity prevention, detection, or response capabilities, providing the execution arm of cybersecurity IR.

Targets
  • Phishing attacks
  • Attacks against connected medical devices affecting patient safety
  • Loss or theft of equipment or data
  • Ransomware attacks
  • Insider data loss, accidental or intentional

Cyber Tygr solutions focus on:
  • Security operations center monitoring
  • Incident response planning
  • forensic services
  • Advanced security operations center
  • Advanced information sharing
  • Incident response orchestration
  • Baseline network traffic
  • User behavior analytics
  • Deception technologies


Mitigation Practice #9: Medical Device Security

As with all technologies, medical device benefits are accompanied by cybersecurity challenges. One emerging threat is the practice of hacking medical devices to cause harm by operating them in an unintended manner. For example, the 2015 document “How to Hack an Infusion Pump” describes how an infusion pump can be controlled remotely to modify the dosage of drugs, threatening patient safety and well-being.

Medical devices are essential to diagnostic, therapeutic and treatment practices. These devices deliver significant benefits and are successful in the treatment of many diseases. As technology advances and health care environments migrate to digitized systems, so do medical devices. For many reasons, it is highly desirable to interface medical devices directly with clinical systems.

Cybersecurity vulnerabilities are introduced when medical devices are connected to a network or computer to process required updates. Many medical devices are managed remotely by third-party vendors, which increases the attack footprint.

Targets
  • Attacks against connected medical devices, affecting patient safety

Cyber Tygr solutions focus on:
  • Medical device management
  • Endpoint protection
  • Automated device discovery and management
  • Device level risk management
  • Network segmentation
  • Vulnerability management
  • Security operations and incident response
  • Procurement and security evaluations
  • Contacting the FDA


Mitigation Practice #10: Cybersecurity Policies

To set proper expectations, organizational policies should support stringent cybersecurity hygiene controls. With consistent training and enforcement, expectations are clearly expressed to the workforce.

These policies should be written for the various user audiences that exist in the organization, considering differences between the general workforce user, IT user, and high-profile or high-risk users (e.g., finance, HR, or health information management).

Targets
  • Phishing attacks
  • Attacks against connected medical devices affecting patient safety
  • Loss or theft of equipment or data
  • Ransomware attacks
  • Insider data loss, accidental or intentional

Cyber Tygr solutions focus on:
  • Policy development
  • HIPAA Security Gap Assessment