Attributes

Medium-sized health care organizations perform critical functions for the health care and public health (HPH) sector. These organizations include critical access hospitals in rural areas, practice management organizations supporting physician practices, revenue cycle or billing organizations, mid-sized device manufacturers, and group practices. Medium-sized health care organizations generally employ hundreds of personnel, numerous information technology (IT) assets, and may be primary partners with small and large health care organizations. It is typical for a medium-sized organization to have several critical systems interconnected to enable work activities in support of the organization’s mission. br>
These organizations tend to have a diverse inventory of assets that support multiple revenue streams. They also tend to have narrow profit margins, limited resources, and limited flexibility to implement robust cybersecurity practices. For example, it is rare for a medium-sized organization to have its own dedicated 24/7/365 security operations center (SOC).

Medium-sized organizations tend to focus on preventing cybersecurity events by implementing rigid security policies. This rigidity is often due to insufficient resources to support more open and flexible cybersecurity models, such as those larger organizations can often afford. Medium-sized organizations usually struggle to obtain cybersecurity funding that is distinct from their standard IT budgets. The top security professional in an organization of this size might often feel overwhelmed by compliance and cybersecurity duties, wear multiple hats, and experience constraints around execution plans.


Medium-sized organizations operate in complex legal and regulatory environments that include but are not limited to the following:
  • The Office of the National Coordinator for Health Information Technology (ONC) regulations for interoperability of Certified Electronic Health Information Technology
  • The Medicare Access and Children’s Health Insurance Program Reauthorization Act of 2015 (MACRA)/Meaningful Use
  • Multiple enforcement obligations under the Food and Drug Administration (FDA)
  • The Joint Commission accreditation processes
  • The Health Insurance Portability and Accountability Act (HIPAA)/Health Information Technology Economic and Clinical Health Act (HITECH) requirements
  • The Payment Card Industry Data Security Standard (PCI-DSS)
  • Substance Abuse and Mental Health Services Administration (SAMHSA) requirements
  • The Gramm-Leach-Bliley Act for financial processing
  • The Stark Law as it relates to providing services to affiliated organizations
  • The Family Educational Rights and Privacy Act (FERPA) for those institutions participating within Higher Education
  • The Genetic Information Nondiscrimination Act
  • The new General Data Protection Regulation (GDPR) in the European Union


IT Assets Used by Medium-Sized Organizations

Medium-sized organizations may have thousands of IT assets, with a mix of dozens to a hundred information systems. All assets may have cybersecurity vulnerabilities, susceptible to cyber threats. There are three important factors in understanding how to secure assets:

  • Their relationship within the organization’s IT ecosystem
  • How the workforce leverages and uses the assets
  • The data that are generated, stored, and processed within those assets


Not all assets are equally important; mission critical assets must always be fully operational, while less critical assets might be offline for days or weeks without harming the organization’s mission. Some assets, while not mission critical, may have large repositories of sensitive data that represent significant risk. In all cases, the organization uses IT assets for business reasons and should protect those assets with proper cyber hygiene controls. Examples of assets found in medium-sized organizations include, but are not limited to, the following:

Static devices used by the workforce, such as shared workstations, and clinical workstations used strictly for patient care with select mobile devices, such as laptops and smartphones. Medium-sized organizations may not maintain many mobile devices, owing to budget restrictions.

Internet of things (IoT) devices , such as smart televisions and medical devices, printers, copiers, and security cameras.

Data that includes sensitive health information stored and processed on devices, servers, applications, and the cloud. These data include names, medical record numbers, birth dates, social security numbers (SSNs), diagnostic conditions, prescriptions, and mental health, substance abuse, or sexually transmitted infection information. These sensitive data are referred to as protected health information (PHI) under HIPAA.

Assets related to the IT infrastructure, such as firewalls, network switches and routers, Wi-Fi networks (both corporate and guest), servers supporting IT management systems, and file storage systems (cloud-based or onsite).

Applications or information systems that support the business processes. These may include human resource (HR) or enterprise resource planning (ERP) systems, pathology lab systems, blood bank systems, medical imaging systems, pharmacy systems, revenue cycle systems, supply chain or materials management systems, specialized oncology therapy systems, radiation oncology treatment systems, and data warehouses (e.g., clinical, financial).



Top 5 Cybersecurity Threats

In 2017, under the leadership of HHS, the Healthcare Industry Cybersecurity Task Force (HCIC) conducted a Healthcare Industry Cybersecurity Risk Assessment; the results were published in the Health Care Industry Cybersecurity Report. The Health and Public Health Coordinating Council Task Group responded to the findings and the Cybersecurity Act’s mandate to “Align Health
Care Industry Security Approaches.”

The Task Group determined that it could not effectively identify every cybersecurity challenge across the large and complex U.S. health care industry. Therefore, the decision was made to focus on the most impactful threats, with the goal of significantly moving the cybersecurity needle for a broad range of organizations within the industry. The report identified the Top 5 Threats to medium healthcare organizations:



HHS Top Five Threats for medium healthcare organizations
  • 1. E-mail phishing attacks
  • 2. Ransomware attacks
  • 3. Loss or theft of equipment or data
  • 4. Insider data loss, accidental or intentional
  • 5. Attacks against connected medical devices that may affect patient safety


Mitigation Practices

To assist large healthcare organizations address the risk posed by the Top 5 Threats, the Department of Health and Human Services (HSS) recently published a common set of best practices, methodologies, procedures, and processes. These mitigation guidelines, though voluntary, are consensus based and industry led.



Mitigation Practice #1: E-mail Protection Systems

Phishing attacks via email (a type of hacking attack) are the most common first point of unauthorized entry into an organization. The effectiveness of phishing attacks allows attackers to bypass most perimeter detections by “piggy backing” on legitimate workforce users. If an attacker obtains an employee’s password via phishing, and if that employee has remote access to the organization’s IT assets, the attacker has made significant progress toward penetrating the organization.

Targets
  • E-mail phishing attacks
  • Ransomware attacks
  • Insider data loss, accidental or intentional

Cyber Tygr solutions focus on:
  • Basic E-mail protection controls
  • Multifactor authentication for remote access
  • E-mail encryption
  • Workforce education


Mitigation Practice #2: Endpoint Protection Systems

Endpoints are the assets the workforce uses to interface with an organization’s digital ecosystem; such as desktops, laptops, workstations, and mobile devices. Current cyber attacks target endpoints as frequently as networks; implementing baseline security measures on these assets provides a critical layer of threat management. As the modern workforce becomes increasingly mobile, it is essential for these assets to interface and function securely.

Targets
  • Ransomware attacks
  • Loss or theft of equipment or data

Cyber Tygr solutions focus on:
  • Basic endpoint protection controls


Mitigation Practice #3: Access Management

Health care organizations of all sizes need to clearly identify all users and maintain audit trails that monitor each user’s access to data, applications, systems, and endpoints. Just as a name badge may be required to identify persons in the physical work environment, cybersecurity access management practices can help ensure that users are properly identified in the digital environment, as well.

Targets
  • Attacks against connected medical devices affecting patient safety
  • Ransomware attacks
  • Insider data loss, accidental or intentional

Cyber Tygr solutions focus on:
  • Identification and authentication
  • Provisioning, transfers, de-provisioning procedures
  • Authenitcation
  • Multi-factor authentication for remote access


Mitigation Practice #4: Data Protection and Loss Prevention

As an organization begins shoring up its data protection and prevention controls, it is best to begin by understanding the types of data that exist in the organization, setting a classification schema for these data, and then determining how the data are processed. Establish a set of policies and procedures for normal data use and then build in “guardrail” systems to guide your user base toward these business processes.

Targets
  • Loss or theft of equipment or data
  • Ransomware attacks
  • Insider data loss, accidental or intentional

Cyber Tygr solutions focus on:
  • Classification of Data
  • Data use Procedures
  • Data security
  • Backup strategies
  • Data loss prevention


Mitigation Practice #5: Asset Management

IT asset management (ITAM) is a foundation for all other cybersecurity practices and critical to ensuring that proper cyber hygiene controls are in place across all assets in the organization. ITAM processes should be implemented for endpoints, servers and networking equipment.

Targets
  • Attacks against connected medical devices affecting patient safety
  • Loss or theft of equipment or data
  • Ransomware attacks
  • Insider data loss, accidental or intentional

Cyber Tygr solutions focus on:
  • Inventory of endpoints and servers
  • Procurement
  • Secure storage for inactive devices
  • Decommissioning assets


Mitigation Practice #6: Network Management

Computers communicate with other computers through networks. These networks are connected wirelessly or via wired connections (e.g., network cables), and networks must be established before systems can interoperate. Networks that are established in an insecure manner increase an organization’s exposure to cyber attack.

Proper cybersecurity hygiene ensures that networks are secure and that all networked devices access networks safely and securely. If network management is provided by a third-party IT support vendor, the organization must understand key aspects of proper network management for inclusion in contracts for these services.

Targets
  • Attacks against connected medical devices affecting patient safety
  • Loss or theft of equipment or data
  • Ransomware attacks
  • Insider data loss, accidental or intentional

Cyber Tygr solutions focus on:
  • Network profiles and firewalls
  • Network segmentation
  • Intrusion prevention systems
  • Web proxy protection
  • Physical security of network devices


Mitigation Practice #7: Vulnerability Management

Vulnerability management is the process used by organizations to detect technology flaws that hackers could exploit. This process uses a scanning capability, often provided by an EHR or IT support vendor, to proactively scan devices and systems in your organization. The ability to mitigate vulnerabilities before a hacker discovers them gives the organization a competitive edge and time to address these vulnerabilities in a prioritized fashion.

Targets
  • Attacks against connected medical devices affecting patient safety
  • Loss or theft of equipment or data
  • Ransomware attacks
  • Insider data loss, accidental or intentional

Cyber Tygr solutions focus on:
  • Host/Server based scanning
  • Web application scanning
  • System placement and data classification
  • Patch management, configuration management & change management


Mitigation Practice #8: Security Operations Center (SOC) & Incident Response

Maintaining detection and response capabilities requires establishing an IR program and an SOC to manage the IR, along with security engineering that enhances an organization’s ability to detect and respond to cyber attacks. A SOC is an organizational structure that leverages cybersecurity frameworks, people, tools, and processes to provide dedicated cybersecurity operations. SOCs are the areas within an organization that dedicate 100 percent of their time to cybersecurity prevention, detection, or response capabilities, providing the execution arm of cybersecurity IR.

Targets
  • Phishing attacks
  • Attacks against connected medical devices affecting patient safety
  • Loss or theft of equipment or data
  • Ransomware attacks
  • Insider data loss, accidental or intentional

Cyber Tygr solutions focus on:
  • Security operations center monitoring
  • Incident response planning
  • forensic services


Mitigation Practice #9: Medical Device Security

As with all technologies, medical device benefits are accompanied by cybersecurity challenges. One emerging threat is the practice of hacking medical devices to cause harm by operating them in an unintended manner. For example, the 2015 document “How to Hack an Infusion Pump” describes how an infusion pump can be controlled remotely to modify the dosage of drugs, threatening patient safety and well-being.

Medical devices are essential to diagnostic, therapeutic and treatment practices. These devices deliver significant benefits and are successful in the treatment of many diseases. As technology advances and health care environments migrate to digitized systems, so do medical devices. For many reasons, it is highly desirable to interface medical devices directly with clinical systems.

Cybersecurity vulnerabilities are introduced when medical devices are connected to a network or computer to process required updates. Many medical devices are managed remotely by third-party vendors, which increases the attack footprint.

Targets
  • Attacks against connected medical devices, affecting patient safety

Cyber Tygr solutions focus on:
  • Medical device management
  • Endpoint protection
  • Automated device discovery and management
  • Device level risk management
  • Network segmentation
  • Network segmentation


Mitigation Practice #10: Cybersecurity Policies

To set proper expectations, organizational policies should support stringent cybersecurity hygiene controls. With consistent training and enforcement, expectations are clearly expressed to the workforce.

These policies should be written for the various user audiences that exist in the organization, considering the differences between the general workforce user, IT user, and high-profile or high-risk users (e.g., finance, HR, or health information management).

Targets
  • Phishing attacks
  • Attacks against connected medical devices affecting patient safety
  • Loss or theft of equipment or data
  • Ransomware attacks
  • Insider data loss, accidental or intentional

Cyber Tygr solutions focus on:
  • Policy development
  • HIPAA Security Gap Assessment