Medium-sized health care organizations perform critical functions for the health care and public health (HPH) sector. These organizations include critical access hospitals in rural areas, practice management organizations supporting physician practices, revenue cycle or billing organizations, mid-sized device manufacturers, and group practices. Medium-sized health care organizations generally employ hundreds of personnel, numerous information technology (IT) assets, and may be primary partners with small and large health care organizations. It is typical for a medium-sized organization to have several critical systems interconnected to enable work activities in support of the organization’s mission. br>
These organizations tend to have a diverse inventory of assets that support multiple revenue streams. They also tend to have narrow profit margins, limited resources, and limited flexibility to implement robust cybersecurity practices. For example, it is rare for a medium-sized organization to have its own dedicated 24/7/365 security operations center (SOC).
Medium-sized organizations tend to focus on preventing cybersecurity events by implementing rigid security policies. This rigidity is often due to insufficient resources to support more open and flexible cybersecurity models, such as those larger organizations can often afford. Medium-sized organizations usually struggle to obtain cybersecurity funding that is distinct from their standard IT budgets. The top security professional in an organization of this size might often feel overwhelmed by compliance and cybersecurity duties, wear multiple hats, and experience constraints around execution plans.
Medium-sized organizations may have thousands of IT assets, with a mix of dozens to a hundred information systems. All assets may have cybersecurity vulnerabilities, susceptible to cyber threats. There are three important factors in understanding how to secure assets:
Not all assets are equally important; mission critical assets must always be fully operational, while less critical assets might be offline for days or weeks without harming the organization’s mission. Some assets, while not mission critical, may have large repositories of sensitive data that represent significant risk. In all cases, the organization uses IT assets for business reasons and should protect those assets with proper cyber hygiene controls. Examples of assets found in medium-sized organizations include, but are not limited to, the following:
• Static devices used by the workforce, such as shared workstations, and clinical workstations used strictly for patient care with select mobile devices, such as laptops and smartphones. Medium-sized organizations may not maintain many mobile devices, owing to budget restrictions.
• Internet of things (IoT) devices , such as smart televisions and medical devices, printers, copiers, and security cameras.
• Data that includes sensitive health information stored and processed on devices, servers, applications, and the cloud. These data include names, medical record numbers, birth dates, social security numbers (SSNs), diagnostic conditions, prescriptions, and mental health, substance abuse, or sexually transmitted infection information. These sensitive data are referred to as protected health information (PHI) under HIPAA.
• Assets related to the IT infrastructure, such as firewalls, network switches and routers, Wi-Fi networks (both corporate and guest), servers supporting IT management systems, and file storage systems (cloud-based or onsite).
• Applications or information systems that support the business processes. These may include human resource (HR) or enterprise resource planning (ERP) systems, pathology lab systems, blood bank systems, medical imaging systems, pharmacy systems, revenue cycle systems, supply chain or materials management systems, specialized oncology therapy systems, radiation oncology treatment systems, and data warehouses (e.g., clinical, financial).
In 2017, under the leadership of HHS, the Healthcare Industry Cybersecurity Task Force (HCIC) conducted a Healthcare Industry Cybersecurity Risk Assessment; the results were published in the Health Care Industry Cybersecurity Report. The Health and Public Health Coordinating Council Task Group responded to the findings and the Cybersecurity Act’s mandate to “Align Health
Care Industry Security Approaches.”
The Task Group determined that it could not effectively identify every cybersecurity challenge across the large and complex U.S. health care industry. Therefore, the decision was made to focus on the most impactful threats, with the goal of significantly moving the cybersecurity needle for a broad range of organizations within the industry. The report identified the Top 5 Threats to medium healthcare organizations:
To assist large healthcare organizations address the risk posed by the Top 5 Threats, the Department of Health and Human Services (HSS) recently published a common set of best practices, methodologies, procedures, and processes. These mitigation guidelines, though voluntary, are consensus based and industry led.
Phishing attacks via email (a type of hacking attack) are the most common first point of unauthorized entry into an organization. The effectiveness of phishing attacks allows attackers to bypass most perimeter detections by “piggy backing” on legitimate workforce users. If an attacker obtains an employee’s password via phishing, and if that employee has remote access to the organization’s IT assets, the attacker has made significant progress toward penetrating the organization.
Endpoints are the assets the workforce uses to interface with an organization’s digital ecosystem; such as desktops, laptops, workstations, and mobile devices. Current cyber attacks target endpoints as frequently as networks; implementing baseline security measures on these assets provides a critical layer of threat management. As the modern workforce becomes increasingly mobile, it is essential for these assets to interface and function securely.
Health care organizations of all sizes need to clearly identify all users and maintain audit trails that monitor each user’s access to data, applications, systems, and endpoints. Just as a name badge may be required to identify persons in the physical work environment, cybersecurity access management practices can help ensure that users are properly identified in the digital environment, as well.
As an organization begins shoring up its data protection and prevention controls, it is best to begin by understanding the types of data that exist in the organization, setting a classification schema for these data, and then determining how the data are processed. Establish a set of policies and procedures for normal data use and then build in “guardrail” systems to guide your user base toward these business processes.
IT asset management (ITAM) is a foundation for all other cybersecurity practices and critical to ensuring that proper cyber hygiene controls are in place across all assets in the organization. ITAM processes should be implemented for endpoints, servers and networking equipment.
Computers communicate with other computers through networks. These networks are connected wirelessly or via wired connections (e.g., network cables), and networks must be established before systems can interoperate. Networks that are established in an insecure manner increase an organization’s exposure to cyber attack.
Proper cybersecurity hygiene ensures that networks are secure and that all networked devices access networks safely and securely. If network management is provided by a third-party IT support vendor, the organization must understand key aspects of proper network management for inclusion in contracts for these services.
Vulnerability management is the process used by organizations to detect technology flaws that hackers could exploit. This process uses a scanning capability, often provided by an EHR or IT support vendor, to proactively scan devices and systems in your organization. The ability to mitigate vulnerabilities before a hacker discovers them gives the organization a competitive edge and time to address these vulnerabilities in a prioritized fashion.
Maintaining detection and response capabilities requires establishing an IR program and an SOC to manage the IR, along with security engineering that enhances an organization’s ability to detect and respond to cyber attacks. A SOC is an organizational structure that leverages cybersecurity frameworks, people, tools, and processes to provide dedicated cybersecurity operations. SOCs are the areas within an organization that dedicate 100 percent of their time to cybersecurity prevention, detection, or response capabilities, providing the execution arm of cybersecurity IR.
As with all technologies, medical device benefits are accompanied by cybersecurity challenges. One emerging threat is the practice of hacking medical devices to cause harm by operating them in an unintended manner. For example, the 2015 document “How to Hack an Infusion Pump” describes how an infusion pump can be controlled remotely to modify the dosage of drugs, threatening patient safety and well-being.
Medical devices are essential to diagnostic, therapeutic and treatment practices. These devices deliver significant benefits and are successful in the treatment of many diseases. As technology advances and health care environments migrate to digitized systems, so do medical devices. For many reasons, it is highly desirable to interface medical devices directly with clinical systems.
Cybersecurity vulnerabilities are introduced when medical devices are connected to a network or computer to process required updates. Many medical devices are managed remotely by third-party vendors, which increases the attack footprint.
To set proper expectations, organizational policies should support stringent cybersecurity hygiene controls. With consistent training and enforcement, expectations are clearly expressed to the workforce.
These policies should be written for the various user audiences that exist in the organization, considering the differences between the general workforce user, IT user, and high-profile or high-risk users (e.g., finance, HR, or health information management).