The Cybersecurity Act of 2015 (CSA) called for adapting our critical infrastructure to better handle cybersecurity issues using private and public partnerships.  Section 405(d) of CSA calls for “Aligning Health Care Industry Security Approaches.”  A task force has been working on doing that since May 2017.  On December 28, 2018, they published the information we have been excited to see in their document Health Industry Cybersecurity Practices: Managing Threats and Protecting Patients (HICP).  Let’s review this important information, shall we?

HIPAA For MSPs by David Sims 5 Threats and 10 Protection Practices
00:00:00 00:00:00

Health Industry Cybersecurity Practices Guide

We mentioned this information was expected to come out in December a few episodes ago.  They said December and they screeched in on two wheels just the way I like to do myself.  Let me start by saying that this is one of the best guides, if not the best, we have had published by HHS ever before.  I encourage everyone to review it and use it.

HHS stated clearly their intent for this guide and I believe it will be very successful in attaining its lofty goals.

This publication is the result of the collaborative work HHS and its industry partners embarked on more than a year ago—namely, the development of practical, understandable, implementable, industry-led, and consensus-based voluntary cybersecurity guidelines to cost-effectively reduce cybersecurity risks for health care organizations of varying sizes, ranging from local clinics, regional hospital systems, to large health care systems.

Kudos definitely go to the co-leads of the Task Force that did all of this work.

Erik C. Decker
Health Sector Coordinating Council Co-Lead
Chief Security and Privacy Officer,
University of Chicago Medicine
Chairman of the Board, Association for Executives in Health Care Information Security

Julie Chua
Health Sector Government Coordinating Council Co-Lead
Risk Management, Office of Information Security
Office of the Chief Information Officer
U.S. Department of Health and Human Services

What is in the Health Industry Cybersecurity Practices Guide?

They set forth very specific requirements for the document that the task force must accomplish.

….a common set of voluntary, consensus-based, and industry-led guidelines, best practices, methodologies, procedures, and processes to achieve three core goals:

1. Cost-effectively reduce cybersecurity risks for a range of health care organizations;

2. Support the voluntary adoption and implementation of its recommendations; and

3. Ensure, on an ongoing basis that content is actionable, practical, and relevant to health care stakeholders of every size and resource level.

That is a pretty tough objective but they have done a fantastic job IMHO.  The task force team included than 150 members from the private and public sectors of the U.S. health care industry.  They have clearly worked very hard to come up with something sorely needed in the industry.

As they stated in the opening, the Task Group knew they couldn’t do it all for every one they had to break it down:

The Task Group determined that it was not feasible to address every cybersecurity challenge across the large and complex U.S. health care industry in a single document. The Task Group, therefore, made the decision to focus on the most impactful threats, with the goal of significantly moving the cybersecurity needle for a broad range of organizations within the industry.

5 Threats and 10 Protection Practices

To accomplish these lofty goals the Task Force identified what they believed were the 5 most common threats that the health care industry was up against from a cybersecurity perspective.  Then, they came up with 10 best practices to ensure you are protected from those threats as best as possible.  Those 5 threats are explained in the table below:

pasted image 0 4

There is a Main Document which explains their objectives, approach, reasoning followed and explains the five specific threats they decided to focus their efforts on addressing.  This is perfect for executives and other leadership that does not need to know the technical details but needs to understand what the program is all about and why the recommendations are important to implement.  They work very hard to bring home the points that everyone has to participate and this is a patient safety issue.

PHI Clarification
As a side note, David noticed an issue with their Acronyms in the appendix.  It says PHI means Personal Health Information.  Maybe to them but under HIPAA it does NOT.  It means Protected Health Information.

The additional accompanying documents are the details on how to get it done.  They include two technical documents and a resource guide.  The technical volumes provide the 10 practices and associated sub-practices that we should implement in order to address those 5 threats.  These kinds of documents are like the holy grail for technical people.  Best practices are what technical people want you to give them.

The first technical volume is for small health care organizations.  The second technical volume is for everyone else.  Before you decide which to use they have a table that helps you determine which one is right for your organization.  It is very important that you review this table before assuming you fall into the small organizations’ category.  Below is the matrix and you may be surprised just how small you need to be in order for volume 1 to apply to your organization.

pasted image 0 2

Check out both volumes if you think you fit in the small category just to be sure you don’t have the capabilities to implement some of the higher level steps.  If you are an IT provider you definitely want to understand both documents fully so that you can propose what is reasonable and appropriate for your client organizations.

Since we mentioned reasonable and appropriate now is a good time to point out something very, very important.

Following these practices will NOT mean that you are HIPAA compliant.

There is also a Resources and Templates guide as I mentioned before.  This is one of the best summaries of all the different government resources available for cybersecurity that I have ever seen.  Instead of keeping track of all of these on my own I will just use this doc from now on.

Finally, they mention that there will be a Cybersecurity Practices Assessments Toolkit (Appendix E-1) available soon.  I sent an email and got an advanced copy of it.  The spreadsheet they send is basically the shortcut version of the tech volumes.  I do encourage people to read the guides and not just jump to the spreadsheet and start working.  It is very important to understand the big picture, not just the specific steps you need to take to implement sub-practices.

It is important to note that they provide a cross-reference to the NIST Cybersecurity Framework in the technical manuals.  I am a huge fan of that!

How do you use the Health Industry Cybersecurity Practices Guide?

Use the Main document to educate everyone about cybersecurity.  There are some excellent examples, stats, and explanations that should be helpful for most anyone any your organization.  I really loved the fact that they have sections like Hand Hygiene for Cybersecurity which goes right along with something I have been doing for years which is Infection Control for your Technology by converting the CDC infection control guide to a cybersecurity infection control guide.  Maybe the idea spread?  We will assume it came from me!  HA!

Select the appropriate technical guide for the technical folks to use.  Well, at least people who can follow geek speak will use the technical guides.  If you are a very small organization with just a few employees the small version should be fine unless you have a lot of high tech tools and skills.  If you have tech skills you really should use volume 2.  The small organization version really is for those with little or no technical understanding or resources.  Look at it as the low-end approach for cybersecurity.

Each guide includes the 5 threats and the 10 practices but the sub-practices vary.  It is important to note that a large organization is expected to do everything in the medium AND the large organization sub-practices.  Let’s compare just one practice (E-mail Protection Systems) with the sub-practices for each size organization.

[supsystic-tables id=6]

The sub-practices are how each of the 10 practices is broken down in the technical guides.  Since all of you have been waiting for the whole list of practices, here they are:

  1. E-mail protection systems
  2. Endpoint protection systems
  3. Access management
  4. Data protection and loss prevention
  5. Asset management
  6. Network management
  7. Vulnerability management
  8. Incident response
  9. Medical device security
  10. Cybersecurity policies

Do they sound familiar to you?  Kind of like HIPAA requirements in a bit more detail.  These guides do not equal HIPAA compliance but they certainly will get you way closer to it than any other guide we have available.  This is kind of like a half CIS20 for healthcare.

The sub-practices is what sets this initiative apart from other tools and concepts people have used for HIPAA before.  Below are each of the three sizes with the sub-practices from the Main document for your comparison.

pasted image 0 1
pasted image 0 3
pasted image 0

Finally, here is a real bonus of the work the Task Force has done.  The guides include suggested metrics to measure the effectiveness of the cybersecurity practices you implement.  That is a real bonus for all the IT folks out there like us who understand the importance of documenting the program’s activity and effectiveness.  Here is an example of just one of the points they list for measuring Endpoint Security practices:

Percentage of endpoints that meet all patch requirements each month. The first goal is to achieve a high percentage of success. Secondary goals are to ensure that there are practices to patch endpoints for third-party and OS-level application vulnerabilities and to be able to determine the effectiveness of those patches. Without the metric, there might not be checks and balances in place to ensure satisfactory compliance with expectations

The great news with this document is that it really can be used by any organization.  Share the news with all the folks you know that there really is something to help make it easier to understand and get protections in place.  There really is no excuse not to be using this guide to implement all the reasonable and appropriate practices, sub-practices, and metrics reporting in 2019.

Please remember to follow us and share us on your favorite social media site. Rate us on your podcasting apps, we need your help to keep spreading the word.  As always, send in your questions and ideas!

HIPAA is not about compliance, it’s about patient care. TM