Getty Images/iStockphoto

Top Healthcare Cybersecurity Resources from NIST, HHS, OCR, HSCC

Staffing challenges and budget constraints make it difficult for some healthcare entities bolster enterprise security. Resources from NIST, HHS, OCR, HSCC, and others can support the development of cybersecurity plans.

Many healthcare providers struggle with finding and retaining security staff, as well as budget constraints, which make it difficult to properly secure the enterprise. In response, a host of industry stakeholders have provided free cybersecurity resources to support those organizations in shoring up vulnerabilities and keeping pace with the ever-evolving threat landscape. 

So far in 2020, some of the biggest data breaches were caused by ransomware, business associates, phishing, and hacking incidents. All have spotlighted the industry’s biggest vulnerabilities, while continuing to serve as a reminder of the need to find these gaps and strengthen the overall cyber posture across the sector. 

An abundance of resources provide healthcare entities with nearly step-by-step guidance on the biggest threats, including ransomware, telework, supply chain, and other significant risks. As industry stakeholders have continued to stress, providers can no longer take a reactive approach to cybersecurity. 

NIST 

CynergisTek reported that just 44 percent of healthcare entities conform with the NIST cybersecurity framework standard. An alarming statistic, given NIST has released guidance for nearly all security challenges, programs, and needed policies. 

Although it's not targeted to the healthcare sector, the NIST standard provides a foundation for many security frameworks. What’s more, these resources are free and often have case studies built into the framework – providing real-world applications for these crucial security policies and plans. 

Just this week, NIST released a performance measurement guide for information security, privacy and security controls for information systems and organizations, and insights on maintaining data integrity when recovering from ransomware and other destructive events. 

Healthcare entities can find NIST insights on cybersecurity, supply chain risk management, enterprise risk management as it relates to protecting privacyzero trust architecture strategies, big data interoperability, mobile security, workforce development and cybersecurity partnerships, and managing IoT privacy and cybersecurity. 

Healthcare and Public Health Sector Coordinating Council (HSCC)

The Joint Cybersecurity Working Group of HSCC is a private-public partnership of healthcare entities and providers, including over 250 medical device and health IT companies, direct patient care entities, and others. The work has resulted in one of the most crucial resource banks designed specifically for the healthcare sector. 

Healthcare entities can find insights on securing medical devices throughout the lifecycle, supply chain cybersecurity management and toolkit, securing medical research and trade secrets, threat information sharing organizations and best practice guidance, and tactical crisis response. 

But one of the most important HSCC resources is designed to help healthcare entities tackle one of its most pressing issues: cybersecurity employee shortages. The guidance shows different ways providers can creatively fill some of those gaps by training IT staff, leveraging college students, and other methods for recruiting and retaining staff. 

Department of Health and Human Services

In 2018, HHS released a four-volume set of voluntary cybersecurity guidelines meant to reduce security risk and bolster cybersecurity programs in the healthcare sector. 

Health Industry Cybersecurity Practices: Managing Threats and Protecting Patients was the result of a partnership of more than 150 cybersecurity and healthcare leaders. While there are some missing elements, the guidance was lauded for breaking down insights by threat and organization size. 

The guide is meant to aid organizations in meeting both compliance and reporting obligations and educate the sector on cybersecurity language. 

HHS has also released routine insights to answer the most frequently asked questions on cybersecurity and HIPAA compliance concerns in the sector. The FAQs explain provider liability as it relates to third-party health apps, costs associated with patients' right of access rules, telehealth use amid COVID-19, health plan data sharing, and protected health information disclosures.

Office for Civil Rights 

OCR routinely releases cybersecurity newsletters, which present extensive insights into many common cybersecurity concerns and challenges. Typically, these insights relate to present threat trends and recent challenges. 

For example, the Summer 2020 newsletter highlighted the need for healthcare entities to perform a thorough IT asset inventory prior to a risk analysis. While an inventory is not required by HIPAA, the rule does require a thorough risk analysis of all potential risks and vulnerabilities to ePHI, which can be supported by a complete IT asset inventory. 

The agency has also shed light on ransomware mitigation and response, privacy and security resources, COVID-19 data sharing for first responders, cyber scams, media access restrictions to PHI, mHealth apps and cloud computing, and a security risk assessment tool. 

Microsoft

Microsoft has also released insights, in particular for the healthcare sector, in light of the rise in ransomware incidents. During COVID-19, the tech giant shared two releases on human-operated cyberattacks as double extortion threat actors continued to target the sector. 

Previous ransomware guidance from Microsoft centered around the need for organizations to invest in email security – and to stop paying the ransom to ransomware threat actors. 

The tech giant has also shed light on the effectiveness of multi-factor authentication and best practices, as its data showed MFA blocks 99.9 percent of automated cyberattacks. 

National Security Agency

In 2020, the NSA has made a significant effort to be more transparent and supportive to private sector organizations to reduce cybersecurity risks across the country. So far this year, the agency released at least four critical guides, as well as several alerts amid the COVID-19 pandemic. 

Healthcare entities can find NSA insights and assessments on cybersecurity for COVID-19 telework, mitigating cloud vulnerabilities and threats, web shell and malware vulnerabilities, and IPSec virtual private networks (VPNs), telework, and remote sites.

Next Steps

Dig Deeper on Cybersecurity strategies