Getty Images/iStockphoto

HSCC Shares Guide to Protecting Healthcare Trade Secrets, Research

The latest Healthcare and Public Health Sector Coordinating Council (HSCC)insights detail ways healthcare entities can better secure its trade secrets and medical research from cyber theft.

The Healthcare and Public Health Sector Coordinating Council (HSCC) today released guidance on ways healthcare entities can best protect its trade secrets, medical research, and other valuable innovation capital from cyber theft.

HSCC’s Joint Cybersecurity Working Group is a private-public partnership of healthcare companies and providers, which includes more than 260 medical device and health IT companies, direct patient care entities, and a host of others.

The insights were developed to implement a major recommendation of the group’s 2107 report, which outlined the need for identifying “mechanisms to protect R&D efforts and intellectual property from attacks or exposure.”

The white paper comes just days after the Department of Homeland Security and the FBI issued a warning to the healthcare sector that hackers tied to the People’s Republic of China are targeting and compromising the networks of medical research facilities working on the response to COVID-19.

“Recent indications of attempts at industrial espionage to steal vaccine data and other medical research make the HIC-PIC guide a particularly timely resource for the health sector,” Russell Koste, Alexion Pharmaceuticals CISO, and a co-chair of the HSCC task force, said in a statement.

“At the same time, the COVID-19 pandemic appears to have heightened barriers to trade which can impose an adverse effect on international trade relations and the industry's ability to protect IC,” he added.

Developed by the HSCC Joint Cybersecurity Working Group, the guidance examines both US and international legal remediation trends for securing innovation capital, as well as detailing challenges to enforcement.

Healthcare entities will also find a range of recommendations for specific information protection controls designed to improve the overall protection of healthcare innovation capital, which includes case studies that outline the factors fueling innovation capital theft and tools designed to detect and defend against capital theft.

The five case studies cover a conspiracy to steal pharmaceutical trade secrets, a theft of the development of a medical device pen injector, wind turbine source code theft, an academia hack, and a “cloud hopper” innovation capital theft by accessing a managed service provider.

Further, HSCC provides insights on the “significant business consequences resulting from each loss.”

The white paper also outlines national and international laws, including legal safeguards, trade secrets laws, as well as practical recommendations and considerations.

HSCC also provided healthcare entities with recommendations for information protection controls. The report authors stressed that while foundational controls may demonstrate due diligence -- they are not enough to sufficiently protect an organization’s innovation capital.

The recommendations build on key foundational aspects, including a risk management program, malicious code protection, intrusion detection systems, security incident and event monitoring systems, a secure development lifecycle and firewalls, and other standard security controls.

To protect innovation capital, healthcare entities will need to employ additional controls, such as extended detective, protective, and administrative controls across multiple aspects that include administrative, technical, physical, and legal functions.

HSCC provided its recommendations for control introductions and implementation guidance to address these challenges – particularly addressing the human factor in security. As noted by many stakeholders, insider vulnerabilities continue to plague healthcare and has increased in recent years as hackers target users with social engineering and email spoofing attempts.

In fact, insider breach remediation costs the healthcare and pharmaceutical sectors an average of $10.81 million each year.

Lastly, the guide contains passive measures healthcare entities should employ to best protect crucial data, from information asset governance and physical security policies, to systems and information use restrictions and workforce engagement and training.

“Whether we are operating in extraordinary situations like the global pandemic or business as usual, robust IC protection controls must remain top of mind to enable secure data and technology transfer in the supply chain, which safeguard domestic innovation and mitigate the risk of IC loss to threat actors,” Greg Garcia, executive director of the HSCC Cybersecurity Working Group, said in a statement.

The latest HSCC white paper is the third published this year and the eighth guide released by the task force in the last 18 months.

Healthcare organizations can leverage these resources to find actionable best practices for securing the enterprise, including information sharing best practices, COVID-19-related telework, cybersecurity staffing, medical device security, and supply chain management, among other crucial security topics.

Next Steps

Dig Deeper on Cybersecurity strategies