New Healthcare Security Recommendations from the HHS Cybersecurity Task Force
A healthcare cybersecurity task force comprised of several members of the information security industry and U.S. agencies released a detailed and prescriptive 96-page report (PDF) on improving security in the healthcare industry earlier this month.
According to the task force, a few of the challenges the healthcare industry faces includes:
- Theft of patient data. Patient data fuels improved patient care and new treatment development, but can also be used for fraud, identity theft, stock manipulation, etc.
- Complex, multi-user environments. Large, complex health systems involve many different players; payers, physicians, research institutions, medical device developers, etc., increasing environment complexity.
- A matrix of federal and state regulations. Many different laws can develop barriers to innovation and ease of use.
These are some of the difficulties healthcare organizations face when it comes to properly securing their systems:
- Significant resource constraints. Operating margins can drop below one percent, and many organizations can’t afford in-house information security or even security-designated IT staff.
- Lack of visibility. A shortage of resources results in the lack of infrastructure and systems to identify, track, analyze and translate threat data into actionable information.
- Legacy systems. Both small and large organizations have unsupported, outdated hardware, software and operating systems that can’t easily be replaced, which opens them up to the risk of large numbers of vulnerabilities.
Citing the rash of ransomware that has plagued all types of healthcare organizations and systems, the report emphasized the need for more education and awareness about security in the healthcare industry.
“Healthcare cybersecurity is a key public health concern that needs immediate and aggressive attention.”
-- Report on Improving Cybersecurity in the Healthcare Industry; the Healthcare Industry Cybersecurity Task Force
Where can organizations turn for risk management guidance?
The report recommends leveraging the NIST Cybersecurity Framework - identify, protect, detect respond and recover - as a way to help manage security risks at a macro level. It’s not healthcare specific, so the task force recommends using FDA guidance for medical device risk management. They also recommend referring to NIST’s Special Publication on Securing Electronic Health Records on Mobile Devices.
The task force will address the following imperatives to increase security within the healthcare industry:
- Define and streamline leadership, governance, and expectations for health care industry cybersecurity.
- Increase the security and resilience of medical devices and health IT.
- Develop the health care workforce capacity necessary to prioritize and ensure cybersecurity awareness and technical capabilities.
- Increase health care industry readiness through improved cybersecurity awareness and education.
- Identify mechanisms to protect R&D efforts and intellectual property from attacks or exposure.
- Improve information sharing of industry threats, risks, and mitigations.
Security Recommendations in the Healthcare Industry
Within each imperative statement, the report lists many recommendations and action items, the bulk of which is too vast and detailed to properly summarize here.
But here’s a few of the key points:
Recommendation 2.1: Secure Legacy Systems
The task force refers to legacy medical devices and electronic healthcare record (EHR) applications operating without the ability to get receive security updates to protect against the latest vulnerabilities.
Organizations should identify, classify and develop an approach to updating legacy systems, which is easier said than done, of course.
The report lists action items to help this cause, including suggestions for the government and industry to develop incentives to phase out legacy technology and create better procurement processes for the future.
Action Item 2.1.3: Real-Time Updates and Patches
Another action item require organizations to make real-time updates and patches, making compensating controls available to end users. They also need to have policies in place to receive and implement available updates.
One way Duo helps with this action item is by checking the security health of each device at authentication - those include indicators of out-of-date software and whether or not devices are company or employee-owned.
If a device needs to be updated, you can create a policy that notifies the user to immediately update before they log into your systems. This preventative approach makes it easier for IT staff short on resources to enforce real-time updates.
Recommendation 2.4: Strong Authentication
One common scenario in a hospital setting requires clinicians to sign into multiple computers throughout facilities to access patient medical records, order diagnostic tests, prescribe medication, etc. - they most often are using a single factor to log in, up to 70 times per shift.
The report states that:
"...single factor approach to accessing information is particularly prone to cyber attack as such passwords can be weak, stolen and are vulnerable to external phishing attacks, malware and social engineering threats."
The report’s Action Item 2.4.2 recommends adopting the NIST SP 800-46 guidelines for remote access, including the use of two-factor authentication to secure access to electronic healthcare record (EHR) system or health information exchanges external to the hospital or clinical environment.
Duo’s Guide to Securing Patient Data
Learn more about Duo for Healthcare, including how Duo’s two-factor authentication can help healthcare organizations meet Health Insurance Portability and Accountability Act (HIPAA) guidelines for mitigating risks associated with remote access to systems containing patient data.
Download our Guide to Securing Patient Data. To help you navigate patient data security, our guide will:
- Summarize relevant health IT security legislation, including federal and state
- Provide information security guidelines on remote access risks and solutions
- Provide extensive security resources and a real hospital case study
- Explain how to protect against modern attacks and meet regulatory compliance with two-factor authentication