Health Industry Threats
Health industry threats are still on the rise. Healthcare organizations remain a target for threat actors pursuing monetary gain or fulfilling some nation-state’s agenda. As patient care increasingly relies upon technology and availability of that data, it is critical that healthcare organizations understand the threat landscape and their exposure to such attacks. However, many organizations do not have the time or personnel equipped to focus solely on identifying and mitigating risks that the organization faces. The Health Industry Cybersecurity Practices (HICP) volumes provide an excellent resource for healthcare entities looking for a succinct overview of the current threat landscape as well as a collection of cost-effective controls and defensive measures to put in place to protect against the most prevalent attack vectors.
Health Industry Cybersecurity Practices
Per the 405(d) HHS website (The updated 2023 edition of the HICP documents is available here), “The 405(d) Program is a collaborative effort between industry and the federal government to align healthcare industry security practices to develop consensus-based guidelines, practices, and methodologies to strengthen the healthcare and public health (HPH) sector’s cybersecurity posture against cyber threats.”
This program is a result of the Cybersecurity Act of 2015 (CSA) and the Task Group originally convened in 2017 consists of members of HHS, DHS, NIST, CMS, FDA, OCR, and many more.
The Volumes consist of three separate documents.
The Main document describes the origin of the 405(d) Task Group, as well as descriptions of the top 5 threats facing the healthcare industry which are social engineering, ransomware attacks, loss or theft of equipment or data, insider/accidental/malicious data loss, and attacks against network connected medical devices.
The Technical Volumes contain the Cybersecurity Practices which are broken into 10 categories and also provide varying controls depending on the size and complexity of the organization (small, medium, and large).
The 10 categories they specify to protect against the top 5 threats are:
- Email Protection Systems
- Endpoint Protection Systems
- Access Management
- Data Protection & Loss Prevention
- Asset Management
- Network Management
- Vulnerability Management
- Security Operation Centers & Incident Response
- Network Connected Medical Devices
- Cyber Security Oversight & Governance
Each Practice area contains sub-practices with specific control recommendations that also include NIST Framework References. These sub-practices are not prescriptive, but instead provide context and insight as to the purpose of a control so the consumer of the document can best apply it in their environment. In some cases, the guidance is a bit high level in nature, but typically contains enough information to understand the intent of a control and where to spend time on other related considerations. Please note that while the guidance is valuable, adherence to these controls does not alone satisfy or replace the need to comply with applicable regulations or governance standards.
Health Industry Threats
If you are a healthcare organization (or really any type of organization) that is seeking guidance to mature and understand where to focus efforts to enhance your defenses against the most common threats, I highly recommend reading through the HICP Volumes. The documents are well written and not only describe the recommended control, but also why it is important and how it intends to mitigate the associated threats. This article is not meant to be a comprehensive summary of the HICP Volumes, but merely meant to provide a high-level overview and spread awareness of the material.
MORE FROM WHITE OAK SECURITY
White Oak Security provides deep-dive offensive security testing. We are a highly skilled and knowledgeable cyber security and penetration testing company that works hard to help organizations strengthen their security posture by getting into the minds of opponents to try to protect those we serve from malicious threats through expertise, integrity, and passion.
Our unique industry experience allows us to offer a wide range of services to help analyze and test information security controls and provide guidance to prioritize and remediate vulnerabilities.