HHS Publishes Guide to Cybersecurity Best Practices

With the aim of helping healthcare entities of all sizes improve their cybersecurity, the Department of Health and Human Services has issued a four-volume publication of voluntary best practices.

The publication’s four volumes include a main document that discusses the current cybersecurity threats facing the healthcare industry. The threats highlighted include email phishing attacks; ransomware attack; loss or theft of equipment or data; insider, accidental or intentional data loss; and attacks against connected medical devices that may affect patient safety.

That first volume sets forth a call to action for the healthcare industry, especially executive decision makers, with the goal of raising general awareness of the issue, the document notes.

The publication also includes two technical volumes – the first for smaller healthcare organizations and the second for midsize to large healthcare organizations.

The technical volumes are organized according to the top 10 most effective cybersecurity practices, as identified by the HHS Cyber Task Force, which in June 2017 issued a report with more than a 100 recommendations for how the healthcare sector can improve its cybersecurity posture.

Those 10 top best practices spotlighted in the new HHS document include the use of:

  • E-mail protection systems, including multifactor authentication for remote email access;
  • Endpoint protection systems, including micro-segmentation and virtualization strategies;
  • Access management, such as federated identity management
  • Data protection and loss prevention, including mapping of data flows;
  • Asset management, such as integration with network access controls;
  • Network management, including anomalous network monitoring and analytics;
  • Vulnerability management, such as penetration testing;
  • Incident response, such as deploying deception technologies;
  • Medical device security, including vulnerabilities management;
  • Cybersecurity policies, such as defining the organization’s position on the use of personal devices or bring-your-own-device.

The fourth volume is an appendix that provides resources and templates that organizations can leverage to assess their cybersecurity posture, as well to develop policies and procedures.

You can find the plan and appendices here, https://www.phe.gov/Preparedness/planning/405d/Pages/hic-practices.aspx

The tools associated to the plan here, https://www.phe.gov/Preparedness/planning/405d/Pages/reportandtools.aspx

You can find more information about the Health Sector Coordinating Council here, https://www.healthsectorcouncil.org

And you can find the article this message was based on here, https://www.healthcareinfosecurity.com/hhs-publishes-guide-to-cybersecurity-best-practices-a-11912