HHS Offers Advice to Help Healthcare Organizations Strengthen Their Cyber Posture

The HHS’ Health Sector Cybersecurity Coordination Sector (HC3) has published guidance for healthcare organizations to help them improve their cyber posture. Cyber posture is the term given for the overall strength of an organization’s cybersecurity, protocols for predicting and preventing cyber threats, and the ability to continue to operate while responding to cyber threats.

To comply with the HIPAA Security Rule, organizations are required to implement safeguards to ensure the confidentiality, integrity, and availability of electronic protected health information, and reduce risks to a low and acceptable level.

Technical safeguards will help to keep ePHI private and confidential and will ensure ePHI can be recovered in the event of a destructive cyberattack. A robust cybersecurity program can help to limit the damage caused in the event of an attack, can prevent the theft of sensitive information such as ePHI and intellectual property, limit the potential for misuse of patient data, and will help to improve customer confidence.

HC3 details several steps that can be taken to improve cyber posture such as conducting regular security posture assessments, consistently monitoring networks and software for vulnerabilities, defining which departments own risks and assigning managers to specific risks, regularly analyzing gaps in security controls, defining key security metrics, and creating incident response and disaster recovery plans.

HC3 also recommends following the cybersecurity best practices detailed in CISA Insights for protecting against cyber threats. These best practices can help to reduce the likelihood of a damaging cyber intrusion occurring, will help organizations rapidly detect attacks in progress, will make it easier to conduct an efficient breach response, and maximize organizations’ resilience to destructive cyberattacks.

HC3 draws attention to the security risk assessment, which is an aspect of HIPAA Security Rule compliance that has been problematic for many healthcare organizations. The security risk assessment is concerned with identifying threat sources, threat events, and vulnerabilities, determining the likelihood of exploitation and the probable impact, and calculating risk as a combination of likelihood and impact.

Healthcare organizations can then use the information provided by risk assessments to prioritize risk management. The Office for Civil Rights has recently released a new version of its Security Risk Assessment Tool, which can help small- and medium-sized healthcare organizations with their security risk assessments.

Author: Steve Alder has many years of experience as a journalist, and comes from a background in market research. He is a specialist on legal and regulatory affairs, and has several years of experience writing about HIPAA. Steve holds a B.Sc. from the University of Liverpool.