On April 17, 2023, the HHS Cybersecurity Task Force released the updated Health Industry Cybersecurity Practises (HICP) 2023 Edition and the Hospital Cyber Resiliency Initiative Landscape Analysis. It is a collection of real best practises within the industry compiled as a voluntary activity by public and private security professionals rather than as a regulation or baseline target. It doesn't contain anything especially new, but it does provide practical references for multiple audiences (physicians, managers, technicians) and adapted to the size and complexity of organisations.
In this blog, I provide an overview and updated points to these resources, and explore the cybersecurity needs of the healthcare industry.
What is HICP?
HICP is best practise for the healthcare industry. It is one of the deliverables in a programme to strengthen cybersecurity posture initiated as a congressional mandate under Section 405(d) of the Cybersecurity Act of 2015. The 405(d) Task Group is a joint effort of the U.S. Department of Health and Human Services, the Health Sector Coordinating Council, and members of his more than 200 cybersecurity and healthcare professionals.
Moreover, Health Industry Cybersecurity Practise (HICP) is an output of their activity. The 1st edition was published in 2019. HICP consists of three documents: Mian document, Technical Volume 1 (for small organisation), and Technical Volume 2 (for medium and large organisation), and these practises are aligned with NIST CSF(Cybersecurity Framework).
In light of recent threats and situations in the healthcare industry, it has been updated as the 2023 edition.
HICP 2023 edition
HICP presents 5 threats most relevant to the healthcare industry and 10 mitigations to prevent them.
- Top 5 Threats
- Social Engineering
- Loss or theft of equipment or data
- Insider accidental or malicious data loss
- Attack against connected medical devices
- Top 10 mitigations
- Email Protection Systems
- Endpoint Protection Systems
- Access Management
- Data Protection and Loss Prevention
- Asset Management
- Network Management
- Vulnerability Management
- Security Operation Centres and Incident Response
- Network Connected Medical Devices
- Cybersecurity Oversight and Governance
First, the Main document recommended incorporating Zero Trust, and Defence in Depth into your Cybersecurity strategy.
An update in Threat is that what was formerly titled Email Phishing has been expanded to Social Engineering. Social engineering threats encompass more than email phishing. (Some new items addressed by this new threat: Smishing, Whaling, BEC and more.)
As mitigation, Network Connected Medical Devices added more details. Many IoT devices interact with the physical world in ways that traditional IT devices do not typically do, and IoT devices can modify physical systems and affect the physical world. Additionally, operational requirements for performance, reliability, resilience, and safety can conflict with typical cybersecurity and privacy practises for traditional IT devices. It recommends that they fix or mitigate these vulnerabilities before connecting to their network.
Other mitigations updates and additions includes Attack Simulations, Cyber insurance, Risk assessment and management, etc.
The HHS 405(d) programme conducted a landscape analysis to review active threats attacking hospitals and the cybersecurity capabilities of hospitals operating in the United States. They also benchmarked these results to specific practises from the Health Industry Cybersecurity Practises (HICP).
The report said that based on the 2023 Censinet/AHA/KLAS survey, on average, hospitals claim to cover 72.05% of HICP practises, with email protection having the highest coverage and medical equipment It has the lowest security.
The same study shows that 59.64% of medical technology used in hospitals has some form of antivirus solution or other alternative control. Additionally, 60.18% of hospitals said they regularly patch their medical technology when patches are released by their manufacturers. Lastly 52.41% of hospitals say they separate their medical technology from their general access network.
This analysis report suggests that these basic hygiene controls still pose significant challenges to medical technology security.
Trend Micro defines the technologies and systems that should be protected in hospitals into five areas and summarises each security control implementation method and approach from a comprehensive perspective as a technical report. Please use it as one of the resources for advancing the implementation of the practise.
- HHS 405(d)
- HHS Cybersecurity Task Force Provides New Resources to Help Address Rising Threat of Cyberattacks in Health and Public Health Sector