How Aligned Are Provider Organizations with the Health Industry Cybersecurity Practices (HICP) Guidelines?
A KLAS-CHIME White Paper

Optimizing Best Practices Through Risk Analysis

As a participant in the Health and Public Health Sector Coordinating Council’s Joint Cybersecurity Work Group, Clearwater fully supports the 405(d) Task Group’s “Health Industry Cybersecurity Practices: Managing Threats and Protecting Patients (HICP)” recommendations.

Even in the most mature organizations, these best practices and tools are often not implemented for every system or device across the enterprise. Furthermore, different systems and their components may require different security controls based on their unique attributes. In today’s complex IT environment, with too few available resources and dollars for cybersecurity, how does an information security leader decide what to address first and how best to reduce risk?

Foundational to a good security program is an enterprise-wide, information system-based security risk analysis. A risk analysis will identify and evaluate the applicable vulnerabilities and threats for each system based on its profile, as well as which controls are in place to address these scenarios.

Leading healthcare organizations following a best practices approach are utilizing cyber risk management software as a service to facilitate a comprehensive enterprise-wide risk analysis and risk response process. As a result, they are identifying their highest risks, optimizing deployment of security controls, and measuring progress, resulting in greater risk reduction at lower costs.

Steven R. Cagle

CEO

Clearwater – IRM|Pro®

steve.cagle@clearwatercompliance.com

HICP identifies 10 overarching cybersecurity practices that organizations of all sizes should focus on. For each practice, subpractices based on organization size are also outlined. The 10 overarching cybersecurity practices are:

Where do provider organizations stand today in their adoption of these best practices? To answer this question, KLAS and CHIME analyzed responses from the 600+ healthcare organizations that participated in the 2018 Healthcare’s Most Wired survey. Though that survey and the HICP guidelines do not overlap in every regard, this white paper explores adoption of those HICP guidelines that were measured by the Most Wired survey. This analysis was augmented by provider commentary and data collected by KLAS via other research efforts.

Key Findings

Email is the most common attack vector through which healthcare organizations are put at risk. Email protection systems provide filtering and encryption to minimize external threats, like phishing or ransomware attacks, and mitigate internal risks, whether malicious or unintentional. Every organization needs email protection from either their default email provider, such as Microsoft Office 365, or from external email protection tools, such as Proofpoint, Mimecast, and Zix.

Since email is a necessary, but high-risk, form of communication, email-security strategies are considered table stakes at most healthcare organizations. Therefore, the Most Wired survey does not collect in-depth data on email security. However, some data is collected that applies to the Task Group recommendations regarding workforce education and the use of digital signatures.

The Task Group recommends that organizations conduct monthly phishing simulations, which often include on-the-spot workforce training. Over 70% of organizations that participated in the Most Wired survey conduct such simulations at least quarterly, with many doing it more frequently. However, there is room for industry improvement since about 16% of small and midsize organizations do not conduct phishing simulations at all or do them less than once a year. The Most Wired survey also measured the use of digital signatures, which allow users to verify that emails come from trusted sources and have not been manipulated in transmission. Large organizations are three times more likely to have adopted this technology than their smaller counterparts.

While email remains the top attack vector, the increasing mobility of the workforce makes endpoints just as critical for healthcare organizations to secure against client-side ransomware attacks or the theft/loss of equipment, PHI, and other sensitive data. The use of antivirus software is one of the most basic ways to protect endpoints, but the Most Wired survey didn’t ask about this method due to its ubiquitous deployment.

Nearly all surveyed organizations report that they currently use endpoint encryption, a simple and relatively inexpensive protection method. While most organizations have implemented intrusion-detection and -prevention systems, about 20% of small organizations have not implemented this first line of defense. The majority of surveyed organizations have implemented mobile device management to secure both hospital-owned and BYOD smartphones and tablets, though the opportunity remains for additional organizations to implement this software. Doing so ensures that PHI remains containered on devices and that organizations have the ability to wipe a device—or a portion of a device—should it become lost or even become disconnected from a secured hospital network.

Identity and access management (IAM) technology is becoming increasingly important for healthcare organizations as they attempt to balance security needs with end users’ desires for quick system access. 83% of surveyed organizations have implemented single sign-on (SSO) solutions, which enable quick and easy access to multiple systems with a single login. Healthcare IAM is made even more complex by the fact that a single user may have different roles and need to be provisioned with different levels of access at different times.

While there is some opportunity for smaller organizations to increase adoption of strong password requirements, most organizations report adoption of thorough basic access management policies. Many organizations are making the transition from homegrown IAM technologies to third-party tools, with large organizations significantly more likely to have implemented identity management and provisioning tools. Organizations that did not clearly establish and document which IAM policies they wished to support with these tools report having more challenging implementations.

Phishing scams are proving more successful at compromising users’ credentials, increasing the need for multifactor authentication (MFA) so that stolen credentials can’t be used to access PHI. Less than half of smaller organizations have an MFA solution in place today. Regardless of size, organizations report little adoption of adaptive/risk-based authentication, which requires additional verification based on the risk level of the action being attempted.

As the healthcare industry moves toward increased interoperability, it is becoming increasingly important for organizations to make sure patient data is shared in a safe and secure way. Policies and procedures for protecting data at rest, data in use, and data in motion form the basic foundation for data-loss prevention (DLP), and technology solutions are then used to support these policies. While the Task Group characterized DLP tools as a subpractice for medium and large organizations, the majority of surveyed organizations, including over 70% of small organizations, report having a DLP tool in place, though small organizations’ DLP implementations are more likely to be limited in scope. Organizations’ whose DLP deployments include exact data matching or fingerprinting are more likely to be satisfied with their tools and to report low levels of false positives. As data and applications continue to move to the cloud, some organizations express hesitation to further deploy on-premises DLP solutions.

The majority of organizations encrypt data in multiple ways, though the encryption of server databases and enterprise network storage devices is less common, especially in small organizations. All surveyed organizations report backing up their data; off-site backup strategies and redundant data centers are more commonly employed than cloud backup services. Very few small organizations report using Data or Infrastructure as a Service; while medium and large organizations are more likely to use these services, adoption is still limited.

Historic asset management practices (i.e., practices that include simply tracking purchased devices) are insufficient for today’s security environment. Organizations must have insight into devices’ operating systems, MAC and IP addresses, recent users, locations, patching information, and much more. And in order for organizations to blend security best practices into their IT asset management, the IT, information security, healthcare technology management, and procurement teams need to all be on the same page and working toward the same common goals.

While the Most Wired survey collected relatively little information about organizations’ asset-management practices, nearly all organizations report proper disposal of PHI-containing assets. There is room for improvement when it comes to having real-time devicelocation data—only 50% of small organizations and 60% of midsize organizations use RFID/RTLS technology to identify and track assets. (Additional context regarding asset management struggles is included in section 9 on medical device security.)

Networks support connections and the movement of data between systems, but if not properly deployed and managed, they can also enable cyberattacks to spread and gain access to many sources of PHI. Large organizations are more likely to have a single, enterprise-wide wireless infrastructure, while small and midsize organizations are more likely to have multiple discrete networks deployed for different purposes. Regardless of the number of networks deployed, it is critical for organizations to implement proper segmentation to keep the impact of an attack isolated to specific portions of the network.

The Task Group prioritizes network segmentation for small organizations, yet less than half report segmenting their networks today. Use of firewalls and physical device security is widespread across all organization sizes. Network access control (NAC) systems—which automatically profile new assets that connect to the network—help ensure that proper security controls are applied prior to a device being granted access. Across all sizes, the majority of surveyed organizations have implemented the Task Group’s suggested focus for large organizations on anomalous-behavior detection to catch and quarantine abnormal events.

Vulnerability management includes scanning for and identifying potential vulnerabilities as well as establishing policies for how to prioritize and remediate vulnerabilities once discovered. About 90% of large organizations run vulnerability scans at least quarterly; 60% of small and midsize organizations do so. Few organizations conduct web-security, infrastructure-security, or application-security assessments more than once a year. Augmenting a robust vulnerability-scanning program with penetration testing by internal or external teams can help organizations look deeper for vulnerabilities. Though the Task Group recommends penetration testing as a practice for large organizations, small organizations are the most likely to perform general penetration tests or wireless penetration tests at least once a quarter. Once vulnerability assessments have been performed, nearly all organizations report their progress and remaining gaps to leadership. Resource constraints keep some small organizations from involving multiple business units in their remediation work once the gaps have been identified.

Organizations of all sizes should have an incident-response plan outlining policies and practices for quickly and efficiently isolating and mitigating adverse security events. These plans should involve all applicable hospital departments and should include guidelines for proper notification should a breach occur. Most organizations have a plan in place and conduct annual tabletop exercises to practice and refine their plans. Only about half of organizations conduct an annual enterprise-wide test. Nearly all organizations participate in an information sharing and analysis organization (ISAO) that helps organizations escalate known threats and share best practices for protection. Large organizations are most likely to participate with the Health Information Sharing and Analysis Center (H-ISAC); small organizations are more likely to look to nearby HIE partners rather than national ISAOs.

While the Most Wired survey didn’t ask about participation in a security operations center (SOC)—insourced, outsourced, or hybrid—it did ask organizations about their adoption of security information and event management (SIEM) tools and user-behavior analytics (UBA) for providing analytics to their SOC. While most organizations have SIEM tools in place, adoption of UBA tools is still early; large organizations are more likely to have adopted this technology, but less than half have it in place today

While the Most Wired survey asked relatively few direct questions about medical device security, it is a top concern for organizations due to the inherent security challenges presented by FDA-approved devices and the potential for device breaches to affect patient safety.

The Task Group’s recommendations for securing medical devices include specific applications of technologies already mentioned, such as endpoint protection, IAM, asset management, network management, and vulnerability management. While medical devices may present a few unique security challenges given their lengthy life cycle, organizations that properly apply security technologies and policies for their medical devices gain confidence in their ability to protect patient safety.

Across organization sizes, the top medical-device-security struggles reported include (1) out-of-date operating systems that organizations cannot patch and (2) a lack of asset and inventory visibility due to insufficient tools and the large number of devices that must be secured. Additionally, many organizations haven’t formalized internal ownership of medical device security and are just beginning to bring security into the medical-device procurement process, including pre-purchase risk assessments, MDS2 forms, software bills of materials, and patching provisions.

Large organizations are more likely to have invested in technology to support their medical device security programs, while small organizations report a high level of confidence in their ability to protect patient safety and secure devices due to lower device volumes and strong internal policies.

Successful cybersecurity programs are not based on technology alone—rather, they are based on policy and supported by strong technology. While various policies underly each of the previous nine cybersecurity practices, organizations’ overall security policies should include the following elements: proper classification of data; definition of roles and responsibilities within the organization (including proper governance); employee education; definition of acceptable data and tool usage; definition of proper use of personal and employer-provided devices; and creation of a cyberattack response plan.

Small and medium organizations are nearly four times as likely to lack a CISO at their organization compared to large organizations. Nearly half of medium and large organizations have cybersecurity as a topic at board meetings at least quarterly. While most organizations have a governance, risk, and compliance (GRC) committee in place, less than half of organizations (and fewer than one in five small organizations) have a board-level committee overseeing their cybersecurity program.

Small organizations are far less likely than medium or large organizations to have implemented a BYOD program at their organization, though the majority do have an MDM program in place.

When selecting a framework to support their policies, organizations predominately turn to the NIST Cybersecurity Framework as the industry standard. However, other frameworks (such as the HITRUST CSF) are in use, and several organizations use a combination of industry standards to develop their programs. About one in five small and medium-sized organizations use self-developed frameworks.

The HHS Task Group’s cybersecurity practices provide a strong, comprehensive foundation from which organizations can build cybersecurity programs and policies and then augment those policies with technology. For many practices, industry adoption aligns with the Task Group’s recommendations. However, opportunities for improvement exist, especially among smaller organizations, where budget constraints and a lack of qualified talent are more likely to hinder progress.