Understanding and Applying Health Industry Cybersecurity Practices

The Health Industry Cybersecurity Practices (HICP) was created to integrate effective cybersecurity strategies into a healthcare organization’s day-to-day practices. HICP’s outline for strategic cybersecurity processes can help you reduce the risk of data breaches involving protected health information in your healthcare organization.

This publication is the result of the collaborative work of the HHS and its industry partners to develop guidelines to cost-effectively reduce cybersecurity risks for healthcare organizations of varying sizes, ranging from local clinics, and regional hospital systems, to large healthcare systems.  

The Task Group that developed the HICP health industry cybersecurity practices for managing threats determined that it was not feasible to address every cybersecurity challenge across the large and complex U.S. healthcare industry in a single document.  A decision was made, therefore, to focus on the most impactful threats.

The practices provided in the HICP healthcare publication are descriptive rather than prescriptive. They are meant to be reviewed for applicability within your organization to reduce the potential impacts of the five major threats to health institutions discussed further in this blog. It is important to note that the guidelines written in the HICP cybersecurity document do not comprise a new framework or “reinvent the wheel” in any form.  The practices outlined in the document may be implemented in whole or in part; the goal of the publication is to foster awareness, provide suggestions, and move towards consistency within the HPH sector in mitigating the current most impactful cybersecurity threats. 

The guide was written in an easily digestible format for non-tech-savvy health sector professionals to understand the importance of cyber hygiene and apply healthcare cybersecurity best practices in the sector. Reading and understanding the guide should answer the pressing question of how to adopt and implement safe cyber practices.

What Are the Components of the Publication?

The entire publication includes the main document, two technical volumes, and several appendices. We’ll discuss them here in more detail.

The Main Document 

This section discusses the current cybersecurity threats facing the healthcare industry and calls for action on the part of the healthcare industry, especially executive decision-makers, to raise general awareness of the issue.

The main document outlines 5 major threats facing healthcare organizations. 

• E-mail phishing attacks
• Ransomware attacks
• Loss or theft of equipment or data
• Insider, accidental, or intentional data loss
• Attacks against connected medical devices that may affect patient safety

Technical Volumes

The technical volumes provide practical steps to mitigating the five threats that are outlined in the Main document. The practices outlined in the technical volumes are divided by industry size.

The practices discussed in the two Technical Volumes align with the outcomes listed in the NIST Framework.  The NIST Framework is organized around five steps to manage cyber threats: Identity, Protect, Detect, Respond, and Recover.  The ten practices in the technical volumes help answer the question of “how” to achieve the outcomes identified in the NIST framework and are tailored to the health sector.

Technical Volume 1 

Having fewer resources to manage their cybersecurity procedures, small healthcare institutions are still vulnerable to cyberattacks. For small firms, the five dangers listed in the Main Document can be particularly disruptive. For instance, if a small provider practice misplaces a laptop with unencrypted PHI, there may be a breach that is widely reported. Both the reputation of the practice and the patients of the provider could suffer as a result of this breach.

The first technical volume discusses the ten Cybersecurity Practices (herein called Practices) and Sub-Practices for small healthcare organizations.  It is intended for IT and/or IT security professionals and serves to guide organizations on what to ask their IT and/or IT security teams or vendors.

Technical Volume 2 

The second technical volume discusses the ten Cybersecurity Practices (herein called Practices) and Sub-Practices for medium-sized and large healthcare organizations. It is intended for IT and/or IT security professionals.

Resources and Templates volume

This volume provides resources and references to supplement the Main Document and Technical Volumes. 

Ten Best Practices

The Technical Volumes detail ten practices to mitigate these threats. Notably, the practices are not prioritized.  An organization should assess its current security and risk posture to determine how to prioritize the practices and should allocate resources accordingly.  A method and toolkit for determining and prioritizing the practices to implement are described in Appendix E. The best practices are as follows: 

• E-mail protection systems
• Endpoint protection systems
• Access management
• Data protection and loss prevention
• Asset management
• Network management
• Vulnerability management
• Incident response
• Medical device security
• Cybersecurity policies

The practices serve to strengthen cybersecurity in healthcare organizations in these ways:

• By enabling organizations to evaluate and assess cybersecurity capabilities effectively and accurately
• By sharing knowledge, common practices, and appropriate references across organizations to improve cybersecurity competencies
• By enabling organizations to prioritize actions and digital investments to improve  cybersecurity

How Can You Implement the HICP?

The best way to implement the HICP guidance is by following the best practices laid out in the technical volumes. The Centraleyes platform has pre-built HICP questionnaires for small, medium, and large organizations, to guide you methodically through each of the 10 Cybersecurity Practices, tracking your alignment and flagging tasks for remediation. Each question is made up of a specific task as well as providing education and guidance for its implementation. This aligns directly with the implementation steps provided by HICP listed below.

Implementing all of the HICP best practices is ideal, but can be overwhelming or outside of the scope for many organizations. The HICP documentation recommends the following steps when deciding which sections to implement and provides the information tables:

Every organization needs to evaluate for themselves which of these threats are most prevalent- taking into account both the likelihood of occurrence and the impact such a threat would ultimately have on the organization. A comprehensive risk assessment can help organizations identify their key threats and other risks. Centraleyes can provide this too. 

1. Review Practices Tailored to Mitigate Threats. 

Once you have chosen which threat to mitigate first, the next step is to review the series of practices that exist to mitigate that threat. The Centraleyes HICP questionnaires enumerate each of the 10 practices and break them down into individual tasks.

The best way to implement the HICP guidance is by following the best practices laid out in the appropriate technical volumes written specifically for your size organization. The Centraleyes platform has pre-built HICP questionnaires to guide you methodically through each of the 10 Cybersecurity Practices, tracking your alignment and flagging tasks for remediation. Each question is made up of a specific task as well as guidance for its implementation. 

Each organization can see its threat vulnerability from its angle, thus resulting in differences in how they prioritize the risks to be mitigated. As the practices of HICP mitigate multiple threats, it is advisable to consider the practices that provide the best breadth of protection, followed by the practices that provide the most depth to mitigate the threat. 

2. Step 3: Determine Gaps Compared to Practices and
3. Step 4: Identify Improvement Opportunity and Implement

After working through the questionnaire, you need to compare your posture to the HICP best practices. Centraleyes’s automated remediation planner identifies gaps and produces actionable remediation tickets. The Centraleyes platform will provide your organization with a risk score using an easy and adaptable process, based on a proprietary weighting and grading algorithm. Once scores are collected, the pre-populated Centraleyes HICP questionnaire, featuring automated workflows and alerts, will assist to remediate the areas vulnerable to risk. 

4. Step 5: Repeat for the Next Threats

This easy and repeatable process can be followed for all or any of the threats you decide to mitigate. 

The HICP framework has been integrated into the Centraleyes platform to help organizations in the healthcare industry safeguard patients and their data. The platform also maps the controls of this framework back to the extensive control inventory of other frameworks and standards, using our SmartMapping feature. The Centraleyes platform saves time and resources, generates more accurate, measurable data, and brings you peace of mind when working toward HICP compliance.