HHS and HSSC Publish New Cyber ​​Security Practices for the Healthcare Sector

On December 28, 2018, the Department of Health and Social Services (HHS), in partnership with the Health Sector Coordinating Council (HSSC), released the document "Cyber ​​Security Practices in the Health Sector: Managing Threats and Protect Patients "(HICP), a four-volume publication designed to provide voluntary cyber-security practices to health care organizations of all types and sizes, from local clinics to large health care systems. The HICP publication fulfilled a mandate set out in Section 405 (d) of the Cybersecurity Act of 2015, which is to develop practical cybersecurity guidelines to cost-effectively reduce cybersecurity risks in order to reduce cyber security risks. the health care sector. HHS and HSSC led a working group made up of leaders in the cybersecurity industry, charged with developing the HICP publication. All health organizations should review and consider implementing the recommendations set out in the HICP publication.

The main publication of the HICP publication explores the five most relevant and timely threats to the health care sector. It also recommends 10 cybersecurity practices to help mitigate these threats. The main document presents actual events and statistics illustrating the financial and IT implications of cyber incidents. In addition, the HICP publication also calls on all industry players to take protection and prevention measures.

HHS notes that the process of implementing cybersecurity practices is not a unique approach. The complexity of an organization's cybersecurity needs will increase or decrease depending on its specific characteristics and the nature of the products and / or services provided. Therefore, the IPCH publication also includes two technical volumes intended for IT and computer security professionals, based on the size of the healthcare organization. Technical Volume 1 focuses on cybersecurity practices in small health care organizations, while Technical Volume 2 focuses on the practices of medium and large health care organizations. The latest volume of the HICP publication provides resources and templates that organizations can use to badess their cybersecurity posture, as well as to develop policies and procedures.

Five most common threats to cybersecurity for the industry

The main document of the HICP publication ranks the following as the most common cyber security threats for the health care sector and provides examples of cybersecurity practices to minimize these threats. The HICP publication examines the vulnerabilities, impact and practices to be considered for each threat.

1. Phishing attacks by e-mail

An e-mail phishing attack is an attempt to entice the recipient of an e-mail to give information by e-mail. This occurs when an attacker, pretending to be a trusted person (such as a friend, coworker, or business partner), sends a phishing email with a link or active file (often an image or graphic). When the email recipient opens the link, it is directed to a website that may solicit sensitive information, proactively infect the computer, or compromise the organization's entire network. Access to the link or file may result in the download of malicious software or access to information stored on the recipient's computer or other networked computers. 39; company.

According to the HICP publication, the lack of computer resources for the management of suspicious e-mails, the lack of software to badyze e-mails for malicious content or false links and the lack of e-mail detection software to test the e-mail. Malicious content or e-mail sender and domain validation tools are vulnerabilities that can expose a health organization to the phishing threat. Email phishing attacks can have a negative impact on a healthcare organization by causing loss of reputation in the community, stolen access information, erosion of trust or brand reputation, and possibly impact on the ability to provide quality patient care in a timely manner. which could lead to patient safety issues.

The HICP publication recommends that health care organizations adopt the following practices to protect themselves from phishing attacks by email:

• Be wary of emails from unknown senders; e-mails requesting sensitive information, such as protected health information (PHI) or personally identifiable information (PII); or emails including a call for action that insists on urgency or importance.
• Train staff to recognize suspicious emails, where to send them, and never open attachments from unknown senders.
• Implement the following:
  • Incident Response plays to manage successful phishing attacks;
  • Advanced technologies to detect and test email for malicious content or links;
  • Multifactor authentication; and
  • Proven and tested response procedures when employees click on phishing emails.
• Establish an information sharing on cyber threat with other health care organizations.

1. Ransomware attack

HHS defines ransomware as "a type of malware (malware) separate from other malware; It is characterized by the fact that it attempts to deny access to a user's data, typically by encrypting them with a key known only to the hacker who deployed the malicious program, until a ransom is paid. "[1] Most ransomware attacks are sent in phishing campaign emails asking the recipient to open an attachment or click on an embedded link. Once a user's data is encrypted, the ransomware orders the user to pay the hacker, usually in the form of cryptocurrency, to receive a decryption key to publish the data. Paying the ransom does not guarantee that the hacker will decrypt or unlock stolen or locked data.

According to the HICP publication, the lack of system backup, lack of anti-phishing features, uncorrected software, lack of malware detection and correction tool, lack of testing and backup and Proven data restoration, and the lack of network security controls, such as segmentation and access control, are vulnerabilities that can expose a company to ransomware. Ransomware attacks can have a negative impact on a healthcare organization by causing total or partial interruption of clinical and service activities, patient safety and patient care issues, as well as repair costs following an attack. by ransomware. In addition, it is important to note that the presence of ransomware (or any other malicious software) on the IT system of a covered entity or a trading partner is a security incident within the meaning of the HIPAA security rule and this entity or business partner must initiate its security response reporting procedures.[2]

The publication HICP recommends that healthcare organizations adopt the following practices to protect themselves against ransomware attacks:

• Ensure that users understand the authorized patch procedures and the patch software according to the authorized procedures.
• Specify which computers can access and store sensitive data or patient data.
• Use a strong and unique user name and pbadwords with multifactor authentication.
• Limit the number of users that can log in from remote offices and the number of authentication attempts allowed to counter brute force attacks.
• Deploy malware detection and remediation tools.
• Separate critical or vulnerable systems from threats.
• Maintain a complete inventory and updated badets.
• Implement a tried and tested data backup and recovery test, as well as proven incident response procedures. Backups must be secure so that they are not accessible on the network that they back up.
• Establish an information sharing on cyber threat with other health care organizations.

1. Loss or theft of equipment or data

The HICP publication states that mobile devices such as laptops, tablets, smartphones, and USB / USB drives are lost or stolen everyday and can end up in the hands of hackers. According to the HHS, from January 1, 2018 to August 31, 2018, the Civil Rights Bureau received 192 theft cases involving 2,041,668 people. When lost equipment is not properly protected or pbadword protected, the loss may result in unauthorized or illegal access, dissemination, and use of sensitive data.

According to the IPCH publication, vulnerabilities that could lead to the loss or theft of equipment or data include:

• Lack of inventory and badet control;
• Failure to encrypt data at rest;
• Lack of physical security practices, including open offices and poor physical management;
• Lack of simple protections, such as computer cable locks to secure devices;
• Lack of effective management of vendor security, including controls to protect equipment or sensitive data; and
• Absence of an "end of service" process to erase sensitive data before computer badets, including medical devices, are discarded or transferred to other users or to others organizations.

The loss or theft of equipment or data can have a negative impact on a health organization by causing inappropriate access or loss of sensitive information, including proprietary or confidential information or information. intellectual properties. In addition, the theft or loss of unencrypted PHI or IIP may occur, which could result in data breaches that require notification to the appropriate individuals, regulators and media. In addition, the reputation of the health care organization could be severely damaged.

The HICP publication recommends that health care organizations adopt the following practices to protect themselves from loss or theft of equipment or data:

• Encrypt sensitive data, especially when transmitting data to other devices or organizations. Encrypt unused data on mobile devices so that they are inaccessible to anyone who finds them.
• Implement proven and tested data backups, as well as a proven and tested data recovery, as well as a mobile device protection policy supplemented by ongoing user awareness training to secure these devices. peripheral devices.
• Acquire and use tools to prevent data loss.
• Report the loss / theft promptly to the designated persons of the company to allow them to terminate access to the device and / or the network.
• Maintain a complete, accurate, up-to-date inventory of badets to mitigate threats, especially the loss and theft of mobile devices, such as laptops and USB / USB sticks.
• Define a process with clear responsibilities to clean sensitive data from each device before it is removed, refurbished or resold.

1. Insider, accidental or intentional loss of data

Internal threats exist in every health organization when employees, contractors, or other users access the company's technology infrastructure, network, or databases. HHS placed internal threats in two groups: accidental internal threats and intentional internal threats. An accidental internal threat is an unintended loss caused by honest mistakes, such as deception, procedural errors or some degree of negligence. For example, being a victim of a phishing attack by email is an accidental threat of insider. An intentional internal threat is a loss or malicious theft caused by an employee, contractor or other user of the company's technology infrastructure, network or databases, for the purpose of gaining a personal benefit or to cause harm to the organization or to another person.

According to the HICP publication, healthcare organizations are vulnerable to data loss by insiders when:

• Files containing sensitive data are accidentally e-mailed to incorrect or unauthorized recipients;
• There is a lack of adequate monitoring, tracking and verification of access to patient information on electronic health record systems;
• There is not enough logging and auditing of access to critical technology badets, such as email and file storage;
• There are no technical controls to monitor e-mailing and downloading sensitive data outside the organization's network; and
• There is a lack of physical access controls or training on social engineering and phishing attacks.

Data loss by insiders may result in reportable data breaches and incidents when the accidental loss of PHI or PII occurs via email and unencrypted mobile storage. In addition, reportable incidents can occur when employees improperly view patient information. A financial loss can occur due to socially ingested insiders who do not follow proper procedures and employees who give access to bank accounts and forwarding numbers after being victims of attacks from email phishing disguised as bank communications.

The IPCH publication recommends that health care organizations adopt the following practices to prevent any accidental loss of data by an insider or insider:

• Train staff and IT users in data access and financial control procedures to mitigate social engineering or procedural errors.
• Implement and use the following elements:
  • Audit of personnel access to medical records systems and sensitive data;
  • Privileged access management tools to signal access to critical technology infrastructure and systems; or
  • Data loss prevention tools for detecting and blocking PHI and PII leaks via email and web download.

1. Attacks on connected medical devices that may affect patient safety

The Food and Drug Administration (FDA) defines a medical device as "an instrument, device, instrument, machine, device, implant, in vitro reagent, or other similar or related item, including a component or accessory recognized by the official service. National Formulary, or the United States Pharmacopoeia, or any supplement thereof; intended to be used in the diagnosis of a disease or other conditions, or in the cure, mitigation, treatment or prevention of a disease. "[3] The HICP publication indicates that a hacker may attempt to gain access to a health care provider's network to take control of a connected medical device in order to put patients at risk.

HHS notes that connected medical devices may be vulnerable if software patches are not implemented quickly, such as system and system current system patches for medical device maintenance, or existing hardware that is outdated and lacks current functionality. , is used. In addition, according to HHS, connected medical devices, unlike computer equipment, can not be monitored by an enterprise intrusion detection system (IDS). As a result, patient safety and the protection of data integrity depend on the identification and understanding of threats and threat scenarios. However, the challenge of identifying and resolving vulnerabilities in medical devices increases the risk of threats against managed IT products. For medical devices, cybersecurity profile information is not readily available in health care organizations, further complicating the optimization of cybersecurity optimization. This can result in missed opportunities to identify and resolve vulnerabilities, increasing the likelihood of threats leading to undesirable effects.

Compromised connected medical devices have broad implications for health care organizations, as they may be totally unavailable or will not work properly, compromising patient safety.

The HICP publication recommends that healthcare organizations adopt the following practices to protect themselves from attacks on connected medical devices:

• Establish and maintain communication with the product safety teams of the manufacturer of the connected medical device.
• Correct the devices after the patches have been validated, distributed by the manufacturer of the medical device and properly tested.
• Evaluate the current security controls of networked medical devices and inventory characteristics, such as computer components, which may include MAC (Media Access Control) address, IP address, segments network, operating systems, applications and other elements relevant to the management of information security. risks.
• Implement the following:
  • Pre-supply security requirements for suppliers;
  • Information security badurance practices, such as risk badessments for the security of new devices and validation of vendor practices on networks or facilities;
  • Access controls for clinical support staff and providers, including remote access, vendor access monitoring, multifactor authentication and the minimum or required minimum privileges ; and
  • Security operations practices for devices, including enhancement, remediation, monitoring, and threat detection capabilities.
• Engage information security as a stakeholder in clinical procurement.
• Use a contract template with medical device manufacturers and others.
• Develop and implement network security applications and practices for device networks.

10 cybersecurity practices to minimize threats

The IPCH publication includes two volumes that provide specific cybersecurity practices for IT security professionals, split between a volume for small health care organizations and medium and large health care organizations (technical volumes). ; HICP). Among the other criteria, the publication HICP ranks a "small health organization" among organizations with one to ten physicians, one or two partners for health information exchange and a practice site or of care. Medium to large health organizations have 26 to more than 500 providers, include multiple sites in a large geographic area, and have a large number of health information exchange partners. The two HICP technical volumes provide general cybersecurity practices to address the top five cybersecurity threats to health care organizations. Each general cybersecurity practice is then divided into specific sub-practices that address the technical components required to implement cybersecurity practices. The HICP has recommended a total of 88 organization-specific sub-practices to be considered in their cybersecurity framework.

1. Email protection systems

Health care organizations are often targeted by email attacks. As a result, technical volumes of the HICP recommend that the following practices be adopted to protect messaging systems. Messaging systems must be configured so that controls are in place to improve security. Small health care organizations should check with their email service provider to make sure that controls are in place or enabled. Technical volumes of the HICP recommend avoiding "free" or "general public" e-mail systems, as they are not licensed to store, process or transmit personal health information. Alternatively, it is suggested that health care organizations outsource with a service provider that addresses the health care sector. Education and training programs for the workforce including sections on phishing and the recognition of phishing techniques should be implemented.

The technical volumes of the HICP recommend that large health organizations consider advanced threat protection services that offer protection against phishing attacks and malware, implement digital signatures that allow the protection of the Internet. Sender to cryptographically sign and verify e-mail messages, and to use data badysis to determine the most frequently targeted targets. users in an organization. In addition, larger health care organizations should have more robust education programs including simulated phishing campaigns, continuous and targeted training, newsletters, and periodic meetings of information security departments. .

1. Terminal protection systems

Technical volumes of the HICP recommend that devices such as desktops, laptops, mobile devices and other connected devices (eg printers and medical equipment) be protected. Smaller health care organizations need to put in place basic endpoint controls, such as:

• Deletion of administrator access accounts for all users and limitation of administrator access to a limited number of users;
• Regularly update systems to eliminate vulnerabilities that can be exploited by attackers;
• Antivirus software;
• Endpoint encryption;
• Firewall; and
• Multifactor authentication for remote access.

Large health care organizations should take extra precautions, including establishing basic endpoint controls such as:

• Antivirus software capable of detecting known malware with the aid of signatures, heuristics and other techniques;
• Full disk encryption, which encrypts the entire disk to make it unreadable for unauthorized persons;
• Configuring the endpoint's operating system in the most secure way possible, limiting the use of local administrator accounts, enabling local firewalls, limiting the amount of time spent in the system. Inbound access at the endpoint to only required ports and disabling unnecessary services and programs;
• A process to regularly correct the endpoint's operating system and third-party applications;
• Providing privileged access to users for the installation or update of application software and operating systems; and
• Mobile device management technologies to manage device configuration and offer application management and containerization.

1. Identity and Access Management

The technical volumes of the HICP recommend that healthcare organizations of all sizes clearly identify all users and set up audit trails to control each user's access to data, applications, systems and at the end points. According to the technical volumes of the HICP, companies of all sizes should implement an Identity and Access Management (IAM) program, which encompbades the processes, people, technologies and practices related to the HICP. Granting, revoking and managing user access. The technical volumes of the HICP indicate that, given the complexity of health care environments, IAM models are essential to limit security vulnerabilities that can expose organizations.[4] Basic access authentication methods rely on usernames and pbadwords, a model that has been proven by the success of phishing and hacking attacks. Technical volumes of the HICP recommend stricter authentication methods, such as secret phrases, and a limitation of the rate of authentication attempts to significantly restrict the ability of automated systems to brutally force the pbadword.

1. Data protection and loss prevention

HICP technical volumes recommend that all health facilities establish a data clbadification policy that categorizes data (eg, highly sensitive, sensitive, internal or public use) and identifies the types of records relevant to each category. For example, the "Sensitive Data" category should include personal health information, Social Security Numbers (SSN), credit card numbers and any other information that must comply with the regulations, be used to commit fraud or harm to the reputation of the company. Once the data is sorted, you can write procedures describing how to use it according to their clbadification. The technical volumes of the HICP recommend that the staff of the health care organization be trained to comply with the policies of the organization and, as a minimum, that annual training be provided on the use of encryption and transmission restrictions of PHI.

1. Asset Management

The technical volumes of the HICP suggest health care organizations with effective cybersecurity practices to manage IT badets with the help of processes known collectively as IT Asset Management (ITAM). It is recommended to implement ITAM processes for all endpoint computers, servers, and network equipment to prevent loss. ITAM processes enable organizations to understand their devices and the best options for securing them. The technical volume of the HICP indicates that ITAM processes can be difficult to implement and maintain, but that these processes must be part of everyday IT operations and encompbad the life cycle of each badet. IT, including purchasing, deployment, maintenance and downgrading (ie, replacement or deletion). ) of the device.

1. La gestion du réseau

Les volumes techniques HICP indiquent qu'une stratégie de gestion de réseau efficace inclut le déploiement de pare-feu pour permettre un accès approprié à l'intérieur et à l'extérieur de l'organisation. La technologie de pare-feu est beaucoup plus avancée que les listes d'accès standard basées sur un routeur et constitue un élément essentiel de la gestion de réseau moderne. Les volumes techniques HICP recommandent aux petites et grandes organisations de santé de déployer des fonctionnalités de pare-feu dans les domaines suivants: sur des tuyaux de réseau étendu (WAN) vers Internet et périmètre, dans des centres de données, dans des commutateurs de distribution, en face du partenaire WAN / VPN connexions, et sur les réseaux sans fil.

HHS indique également que la segmentation des réseaux en zones de sécurité est une méthode fondamentale pour limiter les cyberattaques. Ces zones peuvent être basées sur la sensibilité des actifs au sein du réseau (stations de travail cliniques, accès utilisateur général, réseaux invités, réseaux de dispositifs médicaux, systèmes de gestion technique des bâtiments, etc.) ou sur des segmentations de périmètre standard (solutions DMZ, middleware, serveurs d’applications, serveurs de bases de données, etc.). systèmes des vendeurs).

1. Gestion de la vulnérabilité

Les volumes techniques de l'IPCH indiquent que les programmes de cybersécurité des soins de santé utilisent la gestion des vulnérabilités pour détecter les vulnérabilités de manière proactive. Selon les volumes techniques de l'IPCH, ces processus permettent à l'organisation de clbader, évaluer, hiérarchiser, corriger et atténuer l'empreinte de vulnérabilité technique du point de vue d'un attaquant. La capacité d'atténuer les vulnérabilités avant qu'un pirate les découvre donne à l'organisation un avantage concurrentiel et du temps pour traiter ces vulnérabilités de manière prioritaire.

1. Réponse à l'incident

La plupart des programmes de cybersécurité commencent par mettre en place des contrôles destinés à prévenir les cyberattaques contre l’infrastructure informatique et les données d’une entreprise. Il est tout aussi important d’investir et de développer des capacités pour détecter les attaques réussies et réagir rapidement pour en atténuer les effets. Les volumes techniques de l'IPCH indiquent qu'il est primordial que toutes les organisations détectent, en temps quasi réel, les attaques de phishing qui infiltrent avec succès leur environnement et neutralisent leurs effets avant le vol généralisé d'informations d'identification ou l'installation de logiciels malveillants.

1. Sécurité du dispositif médical

Les volumes techniques de l'IPCH recommandent que tout appareil connecté directement à un patient à des fins de diagnostic ou de traitement subisse un contrôle de qualité approfondi pour garantir son utilisation en toute sécurité. Des stipulations rigoureuses, gérées par la FDA, sont en place pour le développement et la publication de tels systèmes.[5] Les fabricants d’appareils doivent se conformer à la réglementation concernant la fabrication des appareils médicaux connectés. Les organisations qui achètent des appareils et les utilisent pour le traitement des patients sont les prestataires cliniques. La publication HICP indique qu’étant donné la nature hautement réglementée des dispositifs médicaux et les compétences spécialisées requises pour les modifier, il est déconseillé aux entreprises qui déploient des dispositifs médicaux d’apporter des modifications à la configuration sans le support du fabricant. Cela risquerait d'annuler la garantie, d'entraîner des responsabilités juridiques et, dans le pire des cas, de nuire au patient. Par conséquent, la publication HICP recommande que les méthodes de sécurité traditionnelles utilisées pour sécuriser les actifs ne soient pas nécessairement utilisées dans le cas de dispositifs médicaux et que les organisations de soins de santé appliquent les sous-pratiques spécifiques relatives à la gestion efficace des dispositifs médicaux connectés.

1. Politiques de cybersécurité

Les volumes techniques de l'IPCH recommandent aux petites organisations de santé et aux moyennes et grandes organisations de santé de mettre en œuvre des politiques de cybersécurité décrivant et définissant les éléments suivants:

• Rôles et responsabilités en matière de cybersécurité dans l’ensemble de l’organisation.
• Formation comprenant les cyberattaques courantes (telles que le phishing), les périphériques perdus / volés et les méthodes de signalement des comportements suspects sur les ordinateurs.
• Utilisation acceptable des données et du matériel de la société et utilisation acceptable du courrier électronique.
• Comment les données doivent être clbadées, avec des paramètres d'utilisation autour de ces clbadifications.
• Position de l’organisation sur l’utilisation des appareils personnels (BYOD, par exemple). Si cela est autorisé, définissez les attentes concernant la gestion des périphériques.
• Stratégies de sécurité des périphériques mobiles et leur utilisation dans un environnement distant.
• Conditions requises des utilisateurs pour signaler des activités suspectes au sein de l'organisation.
• La configuration requise pour les contrôles de sécurité informatique dans une série de stratégies ou une stratégie unique longue. Les exemples incluent le contrôle d'accès, la gestion des identités, la gestion de la configuration, la gestion des vulnérabilités et la gestion du centre de données.
• Actions à prendre pour badurer une identification et une protection appropriées de tous les actifs informatiques achetés par l'entreprise.

Le volume technique de l'IPCH pour les petites organisations de soins de santé est disponible ici.

Le volume technique IPCH pour les grandes organisations de soins de santé est disponible ici.

La publication IPCH comprend également une annexe de ressources en cybersécurité accessible aux organisations de soins de santé. L’annexe comprend un glossaire des termes relatifs à la cybersécurité, des documents utilisés pour les évaluations de la cybersécurité, des liens vers les ressources des agences gouvernementales en matière de cybersécurité, ainsi que des modèles de politiques et de procédures en matière de cybersécurité pouvant être adoptés par les organisations de soins de santé. L'annexe de la publication IPCH contenant ces ressources est disponible ici.