HHS last month released a guidance document that identifies the top five cybersecurity threats facing the health care industry and best practices on how to address them.
The guidance, which was mandated by the Cybersecurity Act of 2015, was created to help providers address the most common cybersecurity threats in the health care industry. The guidance was developed by a public-private taskforce of more than 150 cybersecurity and health care experts and was subjected to pre-testing sessions with U.S. health care professionals to evaluate the recommended best practices' effectiveness.
The five most common cybersecurity threats
In the guidance, the taskforce identified five of the most common cybersecurity threats in the health care industry:
1. Email phishing. The taskforce said hackers will send emails impersonating an individual's friends, coworkers, or managers to obtain sensitive information or infect a computer with a virus. The email will appear to come from a legitimate source, but when individuals open a link within the email, they will be taken to a website that will request sensitive information or proactively infect the computer.
2. Ransomware. The taskforce said ransomware is distinct from other malware because it involves hackers denying users access to their data through encryption. Hackers encrypt the data with a key until users pay a ransom to access the data. However, the taskforce said, "Paying a ransom does not guarantee that the hacker will unencrypt or unlock the stolen or locked data."
3. Loss or theft of equipment or data. Laptops, tablets, thumb drives, and other devices frequently are lost or stolen and can end up with hackers who will use the devices to access sensitive data, according to the guidance. When lost or stolen devices do not have passwords or other safeguards to protect sensitive data, hackers can gain illegal or unauthorized access to sensitive data, the taskforce said.
4. Accidental or intentional insider data loss. The health care industry faces both accidental and intentional internal threats, the taskforce said. Accidental data loss is the result of "honest mistakes, like being tricked, procedural errors, or a degree of negligence," the taskforce said. In comparison, intentional data loss is "malicious" and "caused by an employee ... with an objective of personal gain or inflicting harm to the organization or another individual," the guidance stated.
5. Attacks against connected medical devices. Internet-connected medical devices are becoming a concern in the health care industry because they could place a patient's safety at risk, according to the taskforce. The taskforce said a medical device malfunctioning could cause a disruption in a patient's treatment and recovery, or could have a "broad hospital operational impact due to unavailable medical devices and systems."
10 practices to reduce cybersecurity risks
The taskforce said "[h]ealth care organizations must implement safeguards to mitigate the impact of the threats" it identified. To do so, the taskforce highlighted 10 practices health care providers can use to reduce their cybersecurity risks:
- Access management;
- Asset management;
- Cybersecurity policies;
- Data protection and loss prevention;
- Email protection systems;
- Endpoint protection systems;
- Incident response plans;
- Medical device security mechanisms;
- Network management; and
- Vulnerability management.
The taskforce said, "The breadth and complexity of these threats complicates mitigation," adding, "When threats and vulnerabilities are identified and assessed for potential impact, the most effective combination of safeguards and cybersecurity practices must be determined based on the organization's particular needs, exposures, resources, and capabilities" (Weber, Inside Health Policy, 1/2 [subscription required]; Manos, Healthcare IT News, 1/2; Kim Cohen, Becker's Health IT & CIO Report, 1/3).
Learn more: How can your organization bolster its cybersecurity?
Want to learn more about what you should be doing in your role to help your organization stay secure? Check out our new cybersecurity cheat sheet series which outlines what executives in every role should be doing—and the key questions they should be asking—to help their organizations stay secure.
Then, register to join us on January 24th from 1:00-2:00 pm ET to learn about health care IT industry trends for 2019 and what the Health Care IT Advisor program plans to research in the upcoming year.