Cybersecurity guidelines were issued in a 4-volume report by The Department of Health and Human Services. It was published under the name ‘Health Industry Cybersecurity Practices: Managing Threats and Protecting Patients’ and it outlines the voluntary measures and practices that the healthcare sector can adopt in order to minimise security risks and bolster their own defences against potential cyber-attacks. In total, 150 experts in both cybersecurity and healthcare were consulted.
It has been emphasised by officials that this 4-volume report isn’t supposed to be treated as gospel, and that these healthcare cybersecurity guidelines were just that, guidelines. They are not to be enforced dogmatically, but to be considered something of a resource for healthcare professionals to educate themselves on the topic.
Each volume of the cybersecurity healthcare guidelines is meant to address a specific facet of the matter. As such, one volume is focused on practices for smaller organisations, while another one revolves around medium and larger organisations, the third one is about resources and templates for end users and the last one highlights the best actions to take in order to ensure patient safety and manage threats. The volumes directed at the specific types of organisations (small, medium or large) are essentially addressed to their IT and security professionals.
It was acknowledged that the topic of healthcare cybersecurity is too broad and expansive to be covered in a single report. However, they did highlight 5 primary areas of concern that all parties need to be aware of, which are as follows:
- Ransomware attacks
- E-mail phishing attacks
- Data loss (insider, accidental or intentional)
- Loss/theft of equipment/data
- Attacks against connected medical devices that can compromise the safety of patients
Each of these areas are elaborated on and the risks and nature of such attacks are discussed. The vulnerabilities leading to these attacks and how these vulnerabilities can be exploited was also discussed. In addition to that, they outlined a list of practices that can be adopted to improve their healthcare cybersecurity measures.
- E-mail protection systems
- Endpoint protection systems
- Access management
- Asset management
- Network management
- Data protection and loss prevention
- Incident response
- Vulnerability management
- Cybersecurity policies
- Medical device security
Again, these are only healthcare cybersecurity guidelines and not standards. It is hoped that healthcare organisations are able to increase their awareness of these topics through these recommendations.