The development of the HICP Publication was mandated by Congress through Section 405(d) of the Cybersecurity Act of 2015 (Public Law 114-113). In May 2017, the 405(d) Task Group (the “Task Group”) was formed to develop these recommendations. The HICP Publication was released at the end of December, and the Task Group is currently working to draft additional, supplementary guidance.
At this time, the HICP Publication consists of four volumes: (1) the Main Document; (2) Technical Volume 1, which provides guidance for small health care organizations; (3) Technical Volume 2, which provides guidance for medium and large health care organizations; and (4) the Resources and Templates Volume. A fifth volume, the Cybersecurity Practices Assessments Toolkit, is under development.
The Main Document provides an overview of cybersecurity risk to the health care industry, including statistics regarding recent cybersecurity incidents, and explains the purpose of the HICP Publication. It sets forth the following five current cybersecurity threats facing health care organizations:
- Email phishing.
- Ransomware.
- Loss or theft of equipment or data.
- Insider, accidental or intentional data loss.
- Attacks against connected medical devices that may affect patient safety.
For each threat, the Main Document provides a description, as well as a real-life scenario, and suggests a variety of means by which health care entities can reduce related cybersecurity risk.
The two technical volumes identify and detail the following ten cybersecurity practices to help mitigate these threats:
- Email protection systems.
- Endpoint protection systems.
- Access management.
- Data protection and loss prevention.
- Asset management.
- Network management.
- Vulnerability management.
- Incident response.
- Medical device security.
- Cybersecurity policies.
The technical volumes also provide subpractices tailored to the size of the health care entity—small, medium or large.
In selecting these ten cybersecurity practices, the Task Group sought to provide a model aligned with the National Institute of Standards and Technology (NIST) Cybersecurity Framework (the “NIST Framework”). The HICP Publication explains that these ten practices are meant to help health care entities identify how to achieve the outcomes outlined in the NIST Framework. The NIST Framework is organized around five cybersecurity functions: identify, protect, detect, respond and recover.
The Resources and Templates Volume includes an appendix that maps each recommended subpractice to the NIST Framework. The Resources and Templates Volume also provides a variety of other resources, including templates for cybersecurity related policies and procedures.
The HICP Publication explains that the intent of these recommendations “is not to introduce a new framework, new methodology, or new regulatory requirement into the cybersecurity space, but rather to introduce guidance that will help raise the cybersecurity floor across the health care industry regarding our defensive and responsive cybersecurity practices.”
Health care organizations should also keep an eye out for forthcoming guidance related to the HICP Publication. The Task Group is planning to develop additional resources related to specific aspects of the HICP Publication, such as incident response and risk assessment and management.