HHS’ HICP document improves cybersecurity posture, focuses on zero trust, defense-in-depth strategies

The U.S. Department of Health and Human Services (HHS) 405(d) Program in conjunction with the HHS 405(d) Task Group released a document that aims to raise awareness, provide vetted cybersecurity practices, and move towards consistency in mitigating the current most pertinent cybersecurity threats to the sector. Closely aligned to the NIST Cybersecurity Framework, the Health Industry Cybersecurity Practices (HICP) initiative will help develop meaningful cybersecurity objectives and outcomes. 

The document titled ‘Health Industry Cybersecurity Practices: Managing Threats and Protecting Patients 2023 Edition’ comes in three parts – Health Industry Cybersecurity Practices: Managing Threats and Protecting Patients (main document); Technical Volume 1 covering cybersecurity practices for small healthcare organizations; and Technical Volume 2 covering cybersecurity practices for medium and large healthcare organizations.

The main document provides the sector an overview of the five threats facing the healthcare sector and instructions on how to use the publication. It has also been updated to renew the agency’s call to action to maintain patient safety and includes new cybersecurity strategies, such as zero trust and defense-in-depth. It also now includes a section on the importance of workplace training and awareness and guides why each role in a healthcare and public health organization is important to keep patients safe from cyber threats.

The next part, Technical Volume 1 document provides 10 cybersecurity practices and many sub-practices for small entities that can be implemented to combat the five threats, while Technical Volume 2 provides 10 cybersecurity practices and many sub-practices for medium and large entities that can be implemented to combat the five threats. 

The healthcare and public health sector has faced dramatic increases in cyber-attacks intended to disrupt the care continuum. In response to this growing threat, the HHS 405(d) program conducted a Landscape Analysis, which reviewed active threats attacking hospitals and the cybersecurity capabilities of hospitals operating in the U.S.

The Landscape Analysis conducted a deeper investigative study into both the methods that cyber adversaries are using to compromise US hospitals, disrupt operations and extort for financial gain. It then benchmarked these results to specific practices of the HICP to outline the most meaningful protections for these specific threats.

The HICP main document intends to foster awareness, provide practices, and move towards consistency within the healthcare and public health sector in mitigating the current most impactful cybersecurity threats. The top five threats identified are:

• social engineering 
• ransomware attacks 
• loss or theft of equipment or data 
• insider, accidental, or malicious data loss 
• attacks against network-connected medical devices that may affect patient safety.

Social engineering attacks begin as tricks to fool people into providing sensitive details, such as passwords, banking numbers, social security numbers, or other sensitive data by claiming to be someone they are not. Attackers might send a spoofed email pretending to be your supervisor or send a message that appears to be from your IT department. 

One common type of social engineering attack is called ‘phishing,’ which is typically delivered through email. Email phishing is an attempt to trick employees at the workplace into providing information using email. Social engineering attacks also appear as fraudulent text messages or phone calls claiming to be an important facility. In the past several years, these attacks have become much more sophisticated and personal. 

The HICP document also pointed out that over the last five years, there has been a substantial rise in business email compromise (BEC) reported to the FBI. In these attacks, the relationship with an organization is exploited for financial gain. The attacker will attempt to impersonate a high-level figure and ask them to conduct wire transfers, or even purchase gift cards to send back to them through email.  

Some BEC attacks are launched within an organization when one person is tricked into providing the login to their email account, the HICP said. “The attacker can then use this person’s email account to send out more emails to all their contacts. Attackers are even known to use email conversations you were already having with a contact to send a new email with infected links or attachments,” it added. 

The HICP document said that 66 percent of healthcare organizations were hit by ransomware in 2021. “Over time, ransomware attacks have evolved to include targeted attacks. These attacks are adapted for specific groups or organizations to make them more effective. Once attackers access your network, they use ransomware to restrict access to your devices and data until a ransom is paid. Generally, these attacks are ‘human-operated.’ It’s common for attackers to first leverage social engineering to get access to credentials, then use those credentials to access the network and deploy ransomware,” it added. 

The document evaluated that these attacks have serious monetary repercussions that can lead to permanent closures, especially for small healthcare organizations. In instances where no backups are in place, attackers delete the files, and owners are forced to close their practice. These threats are on the rise and becoming more advanced.

The HICP document identified that mobile devices such as laptops, tablets, smartphones, and USB/thumb drives are lost or stolen daily, and they end up in the hands of attackers. Theft of equipment and data is an ever-present and ongoing threat for all organizations. The agency revealed that, in 2021, 713 major health data breaches, affecting more than 45.7 million individuals, were reported to the HHS OCR. 

“Although the value of the device represents one loss, the consequences of losing a device that contains sensitive data are far greater,” the document added. “In cases where the lost device was not appropriately safeguarded with practices such as MFA or other encryptions, the loss may result in unauthorized or illegal access, dissemination, and use of sensitive data.”

Insider threats exist within every organization where employees, contractors, or other users access the organization’s technology infrastructure, network, or databases. There are two types of insider threats: accidental and malicious.

The HICP document identifies that insider threats involve people who typically have legitimate access to computer systems and networks. “Whether through negligence or malice, insiders can compromise your patient and enterprise data over short or extended periods. This has serious repercussions for the patients, their security, and overall quality of care delivery,” it added. 

The fifth threat covered in the HICP document is network-connected medical devices, which are network-based devices that leverage networking protocols to communicate and transmit clinical information, such as Bluetooth, TCP/IP, and other network-based technology. 

“Patients are at great risk because an attack has shut down heart monitors, including ones being used in surgery and other procedures. Doctors are now distracted, quality of patient care has suffered, and patients’ health is at risk,” it added. 

The Technical Volumes cover the 10 most effective cybersecurity practices, selected by the 405(d) Task Group to mitigate the current threats. These include email protection systems, endpoint protection systems, access management, data protection and loss prevention, asset management, network management, vulnerability management, security operation centers, incident response, network-connected medical devices, and cybersecurity oversight and governance. Each Technical Volume presents these ten Practices, followed by a total of 88 sub-practices, with implementation recommendations. 

While a cybersecurity strategy should be unique to an organization, there are two general approaches that organizations should consider – zero trust and defense-in-depth. HICP and the mitigation practices covered in the technical volumes assist organizations in implementing the concepts and controls that both these strategies focus on.

Building a zero-trust architecture that encompasses multi-layer protections strengthens your security posture, the HICP document identified. “This means all device and user identities, both internal and external, are validated before being granted access to network resources. This approach can be used to mitigate vulnerabilities created by network trends, including bring-your-own-device (BYOD), cloud-based services, and users working remotely. Your organization can enable the zero trust strategy at all network levels to ensure a strong security posture.” 

The document also identified that a holistic cybersecurity approach, such as defense-in-depth, could slow attacks and minimize the damage taking place. “Defense-in-depth is a strategy that layers multiple security safeguards, rather than relying on a single layer. This means if one layer of defense turns out to be inadequate, another layer of defense will hopefully prevent a full breach,” it added. 

Defense-in-depth approach should typically include a wide range of security elements, such as identity and access security controls; perimeter security including distributed denial-of-service (DDoS) protection; and network security, such as network segmentation and network access controls, limiting communication between resources. It must also cover patch management which removes vulnerabilities; intrusion prevention; and endpoint solutions, such as endpoint detection and antivirus software, to control access to privileged endpoint accounts.  

Commenting on the HICP document, Ty Greenhalgh, industry principal at Medigate by Claroty, wrote in a company blog post on Monday that the extensive publication is the first HICP update in more than two years; it identifies top cybersecurity threats to the healthcare industry, and 10 blocking-and-tackling mitigation practices and sub-practices aimed at not only larger, more resourced organizations but also smaller healthcare providers.

Greenhalgh also said that the inclusion of the PATCH Act in the 2023 Omnibus Appropriations Bill put medical device vendors on notice that minimum cybersecurity requirements must be met when submitting devices to the FDA for approval. “Those requirements include vital—and missing until then—processes for regularly addressing post-market vulnerabilities and out-of-band fixes for critical bugs, as well as spelling out the need for transparency with regard to the software components used in medical devices,” he added.

Last month, the HHS’ Food and Drug Administration (FDA) agency published final guidance establishing new cybersecurity requirements for cyber devices, which includes information that a sponsor of a premarket submission for a cyber device must provide in its submission.

Ahead of the FDA release, the U.S. Healthcare and Public Health Sector Coordinating Council (HSCC) released ‘Model Contract Language,’ which provides a reference for shared cooperation and coordination between healthcare delivery organizations (HDOs) and MDMs. The template addresses the security, compliance, management, operation, services, and security of MDM-managed medical devices, solutions, and connections.

Anna Ribeiro

Industrial Cyber News Editor. Anna Ribeiro is a freelance journalist with over 14 years of experience in the areas of security, data storage, virtualization and IoT.