On Thursday last week, the U.S. Senate Committee on Homeland Security and Governmental Affairs held a hearing to examine cybersecurity risks to the healthcare sector, how healthcare providers and the federal government are working to combat those threats, and determine what the federal government needs to do to improve defenses against cyberattacks on the healthcare sector.

“Relentless cyber-attacks show that foreign adversaries and cybercriminals will stop at nothing to exploit cybersecurity vulnerabilities our critical infrastructure and most essential systems,” said Committee Chairman, Gary C. Peters (D-MI). “What is most concerning about these attacks is that they don’t just compromise personal information, they can actually affect patient health and safety.”

Peters explained that the committee has already taken important steps to strengthen cybersecurity for critical infrastructure sectors, including the healthcare sector, including advancing a bipartisan bill requiring critical infrastructure organizations to report cyber-attacks and ransomware payments to the Cybersecurity and Infrastructure Security Agency (CISA) to provide more transparency and situational awareness for cybersecurity defenses and enable CISA to warn potential victims of ongoing attacks; but accepted that Congress can do much more to ensure critical networks in the healthcare and public health sector remain resilient against cyber-attacks.

At the hearing, testimonies were provided by Scott Dresden, SVP and CISO, Corewell Health; Kate Pierce, Senior Virtual Information Security Officer, Fortified Health Security; Greg Garcia, Executive Director, Cyber Security Healthcare and Public Health Sector Coordinating Council; and Stirling Martin, SVP & Chief Privacy and Security Officer, Epic Systems.

Scott Dresden, SVP and CISO, Corewell Health

Scott Dresden explained that the healthcare sector is particularly vulnerable to cyberattacks due to the complex healthcare business model, which often involves multiple, often independent, entities coming together to form what the patient sees as a cohesive care delivery process. “Over time and often out of necessity, this model has evolved in ways that have made us more vulnerable to cyber-attacks,” said Dresden. “For example, the rapid expansion of network-connected technologies to provide telehealth during the COVID-19 pandemic” and the “expanded use of Software as a Service and other cloud-based solutions.” These have increased the attack surface considerably and provided many opportunities for threat actors to compromise an organization.

Dresden explained that it is vital to implement a comprehensive information security program but there is great disparity across the industry. While large health systems have the resources to create an effective security team, that is far more difficult for small and medium-sized healthcare organizations, and even large health systems with mature security programs are still being compromised. Dresden has called for the U.S. government to respond to cyber threats more effectively and automate the sharing of the actionable threat intelligence the government acquires with the healthcare sector. Doing so would enable rapid, near real-time automatic ingestion of threat intelligence into the technologies participating members use to protect their respective organizations.

The HHS’ Office for Civil Rights has recently called for Congress to increase the penalty caps for HIPAA violations to help address its budget shortfall, but Dresden does not believe this is a wise move. “We understand and support the legislative intent to encourage adoption of best practices and the implementation of appropriate protections to safeguard our data, “ said Dresden. “However, penalizing victims of cyberattacks, when defensive measures can’t keep up with the sophistication of hackers, is not the fair approach.”

Kate Pierce, Senior Virtual Information Security Officer, Fortified Health Security

Kate Pierce, who prior to joining Fortified Health Security served as CIO and CISO at a 25-bed community hospital in Vermont for 21 years drew attention to the cybersecurity gaps at small rural hospitals, which face severe financial and staffing constraints and struggle to recruit cybersecurity talent. While recommended cybersecurity best practices in voluntary guidance can be adopted by large healthcare organizations,  at small, under-resourced hospitals they simply won’t be implemented. She recommends introducing mandatory minimum security standards, as without that requirement, cybersecurity will not be prioritized over other pressing needs. She also explained mandatory security standards are important, but small healthcare providers will also need to be provided with the ability to implement the required security measures. Pierce also drew attention to the difficulty rural hospitals face obtaining cyber insurance coverage, and that even if coverage can be obtained, the rates are between 35% and 75% higher than for larger healthcare organizations and there are typically far more exclusions. Small healthcare organizations rely on cyber insurance to ensure they can recover from cyberattacks.

Stirling Martin, SVP & Chief Privacy and Security Officer, Epic Systems

Stirling Martin drew attention to the current staffing shortages and the difficulty healthcare organizations have attracting and retaining high-demand security talent. He explained that Epic has seen huge variation in the sophistication of security programs at healthcare providers across the country and says there is no defined benchmark of what security practices are considered sufficient. He also said there is a lack of cybersecurity information sharing among healthcare organizations and limited threat intelligence from government agencies and private industry. Martin has called for the government to step in and help address the current talent shortage and suggests the federal government could develop security training programs and incentivize newly trained professionals to work in healthcare. He also suggests federal agencies such as CISA or NIST could develop a single set of prescriptive security practices for the healthcare industry, or for there to be industry efforts such as HITRUST or collaboration such as the Healthcare Sector Coordinating Council.

Greg Garcia, Executive Director, Cyber Security Healthcare and Public Health Sector Coordinating Council

Greg Garcia provided an overview of cyber threat, vulnerability, and data breach trends, an outline of how the industry and government agencies have been working together to address cybersecurity, and made several recommendations on how the government can support the health industry’s efforts to improve security.

The recommendations include augmenting the HHS 405(d) program, which already has a successful track record of partnership with the healthcare industry; creating a Healthcare Cybersecurity Workforce Development Program to address the staffing challenges; providing financial support to help healthcare organizations improve cybersecurity; and to increase funding for HHS Health Sector Cyber Coordination Center (HC3) to expand its ability to be a knowledge sharing and analysis resource for the sector.

With budgets already stretched, dealing with the multiple class action lawsuits that are filed following a data breach can be a huge financial drain on healthcare organizations and the money spend defending lawsuits would be better spent on improving cybersecurity to prevent further data breaches. Garcia suggests health delivery organizations should be protected from class action lawsuits if they demonstrate they have implemented recognized security practices such as the NIST CSF or HICP.

Garcia also recommended updating HIPAA to reference the use of minimum standards in NIST CSF, HICP, or other recognized security practices, rather than prescribing cybersecurity requirements in statute. “These standards should be built in partnership with the HSCC and regulators such as (OCR, ONC, CMS, and FDA) and cross-mapped for overlap or conflict across the various regulatory regimes intersect,” said Garcia. “A holistic, coherent cyber policy strategy is essential for a healthcare environment where clinical operations, medical devices, electronic health record technology, patient data, and IT systems are all interconnected but subject to different regulatory structures and authorities.”

The post Senate Committee Told How Federal Government Can Improve Healthcare Cybersecurity appeared first on HIPAA Journal.

The Health Sector Cybersecurity Coordination Center (HC3) has shared threat intelligence information about the Black Basta ransomware group to help network defenders prevent and rapidly detect attacks in progress. The Black Basta group was first identified in April 2022 and is known to conduct ransomware and extortion attacks. The group engages in double extortion tactics, exfiltrating sensitive data and encrypting files, then issues threats to publish the data on its data leak site if the ransom is not paid. The group is also known to conduct extortion-only attacks without file encryption.

While the group has only been in operation for a relatively short time, it is clear that the group has extensive experience in ransomware attacks, as in the first two weeks of operation the group is known to have conducted at least 20 ransomware attacks. The Russian-speaking threat group is believed to include former members of the Conti and BlackMatter ransomware operations and uses similar tactics, techniques, and procedures to those groups and is thought to have links to the FIN7 threat group. It is highly probable that the group has conducted ransomware attacks in the past under a different name, with some security researchers believing Black Basta is a rebrand of Conti. Conti was officially disbanded in May 2022 and it is thought that the group split into several smaller operations.

Black Basta consists of highly capable individuals well-versed in conducting ransomware attacks. The group has conducted attacks on several healthcare and public sector (HPH) healthcare organizations, including health information technology companies, healthcare industry service providers, laboratories and pharmaceutical firms, and health plans. The vast majority of its victims are located in the United States, although the group has started conducting attacks in other countries, primarily the Five Eyes countries (USA, Australia, Canada, New Zealand, and the United Kingdom).

Black Basta is known for carefully choosing its targets and has attacked many critical infrastructure entities. The attacks are believed to be financially motivated, rather than linked to the Russian government, although it is possible that the group also has some sort of political agenda based on the countries that are typically targeted. The group does not rely on one method of attack and often uses a unique approach in attacks on specific targets. The group is known to purchase access to systems from initial access brokers. Once access is gained, the group uses a variety of tools for remote access, privilege escalation, lateral movement, and data exfiltration, including Qakbot/QBot, SystemBC, Mimikatz, ColbaltStrike, and Rclone. Additional methods of access include the exploitation of vulnerabilities, Remote Desktop Protocol, phishing, web injections, malicious downloads, and repackaged/infected software installers.

You can view the full analysis of the group along with the recommended defensive measures and mitigations here.

The post HC3 Shares Black Basta Ransomware Threat Intelligence Data appeared first on HIPAA Journal.

This month, the Healthcare and Public Health Sector Coordinating Council (HSCC) Cybersecurity Working Group (CWG) published guidance to help healthcare delivery organizations effectively manage cyber risks associated with legacy technology. In healthcare, a great deal of attention has been focused on addressing cybersecurity risks associated with legacy medical devices, but they are not the only type of legacy technology in use in healthcare environments. Many different technologies are used that similarly become more vulnerable as they age, and continue to be used after end-of-life has been reached and support is withdrawn. Technologies include FDA-regulated devices, non-FDA-regulated devices, laboratory equipment, building and facilities technology, and a host of other technologies.

While the obvious solution from a security perspective is to upgrade to modern, supported systems ahead of the technologies reaching end-of-life, that is often not practical or possible. Instead, healthcare delivery organizations need to effectively manage the risks associated with these technologies. Vulnerabilities in these technologies can be exploited by malicious actors, which can threaten patient privacy and patient safety. Unfortunately, many healthcare organizations that use legacy technologies have limited staff and resources to devote to protecting these technologies, which means vulnerabilities can persist indefinitely.

The guidance – Health Industry Cybersecurity – Managing Legacy Technology Security (HIC-MaLTS) – details best practices and makes several recommendations for healthcare delivery organizations, medical device manufacturers, and other technology providers whose products are used in healthcare environments. The guidance explains that all of these entities have a shared responsibility to ensure legacy technologies can be used securely in clinical environments while staying one step ahead of modern cyber threats. HSCC encourages healthcare delivery organizations, medical device manufacturers, and other technology providers to work together to effectively manage risk.

The guidance is the result of three years of work by 67 industry and government member organizations, including healthcare delivery organizations, medical device manufacturers, trade groups, government representatives, security experts, and health IT companies. The guidance covers the four core pillars of a comprehensive legacy technology cyber risk management program: governance, communications, cyber risk management, and future-proofing legacy technologies, and includes general and specific recommendations for each of those pillars in an easily actionable format.

The post HSCC Issues Guidance for Healthcare Organizations on Managing Legacy Technology Security appeared first on HIPAA Journal.

The U.S. Cybersecurity and Infrastructure Agency (CISA) has launched a new pilot program in response to the increase in ransomware attacks on critical infrastructure entities. The aim of the pilot program is to help critical infrastructure entities better protect their systems against ransomware attacks by fixing exploitable vulnerabilities in their Internet-facing systems.

The Ransomware Vulnerability Warning Pilot (RVWP) program is authorized under the Cyber Incident Reporting for Critical Infrastructure Act (CIRCIA) of 2022 and commenced on January 30, 2023. Under the program, CISA conducts scans to determine if Internet-exposed systems contain vulnerabilities that could potentially be exploited by ransomware actors to gain access to their networks. Alerts are then sent to those entities by CISA’s regional cybersecurity personnel to inform them that vulnerabilities exist, which will allow timely action to be taken to fix the flaws before they can be exploited by ransomware gangs or other malicious actors. CISA says critical infrastructure entities may be unaware that they have exploitable vulnerabilities in their systems and may only discover unpatched vulnerabilities once they have been exploited in a ransomware attack. CISA said the RVWP program leverages existing services, data sources, technologies, and authorities including CISA’s Cyber Hygiene Vulnerability Scanning Service and the Administrative Subpoena Authority granted to CISA under Section 2009 of the Homeland Security Act of 2022.

The program is focused on identifying vulnerabilities in Internet-facing systems that are known to have been exploited by ransomware gangs in previous attacks. Under the RVWP program, CISA has already notified almost 100 critical infrastructure entities that they have systems with unaddressed ProxyNotShell vulnerabilities in Microsoft Exchange. ProxyNotShell vulnerabilities have been widely exploited by ransomware gangs over the past few months.

“Ransomware attacks continue to cause untenable levels of harm to organizations across the country, including target rich, resource-poor entities like many school districts and hospitals,” said Eric Goldstein, Executive Assistant Director for Cybersecurity, CISA. “The RVWP will allow CISA to provide timely and actionable information that will directly reduce the prevalence of damaging ransomware incidents affecting American organizations. We encourage every organization to urgently mitigate vulnerabilities identified by this program and adopt strong security measures consistent with the U.S. government’s guidance on StopRansomware.gov.” CISA also encourages critical infrastructure entities to report ransomware attacks to the U.S. government via the FBI’s Internet Crime Complaint Center or CISA’s incident reporting system.

The RVWP program is one of several initiatives launched by CISA in the past two years in response to ransomware attacks on critical infrastructure entities and government agencies, including the attacks on Colonial Pipeline, JBS Foods, and Kaseya. These efforts include the addition of a Ransomware Readiness Assessment (RRA) module to its Cyber Security Evaluation Tool (CSET), the formation of a public-private partnership – the Joint Cyber Defense Collaborative (JCDC) to proactively gather, analyze, and share actionable cyber risk information– and the launch of its Stop Ransomware website, which serves as a one-stop-shop for alerts and ransomware resources.

The post CISA Launches Ransomware Vulnerability Warning Pilot Program appeared first on HIPAA Journal.

The Health Sector Cybersecurity Coordination Center has issued a security advisory warning about data exfiltration in healthcare cyberattacks, highlighting the extent of the practice and sharing several recommended mitigations. Data exfiltration typically occurs once a threat actor has gained access to a network, elevated privileges, and moved laterally. Data exfiltration is one of the last stages of the cyber kill-chain and the primary objective in many cyberattacks.

There are several reasons for data theft. Nation-state actors often steal data for espionage purposes, cybercriminal groups steal healthcare data as it can be easily monetized and as leverage for extortion, and insiders steal data for financial gain, competitive advantage, and blackmail. When ransomware first started to be used by cybercriminal groups, files were simply encrypted; however, data exfiltration is now common. Data theft allows ransomware actors to profit from attacks when ransoms are not paid, and oftentimes it is the threat of publication of stolen data that prompts victims to pay up. Such is the incentive to pay to prevent data exposure that ransomware gangs are even dispensing with file encryption and are conducting extortion-only attacks.

In the security advisory, HC3 draws attention to the extent to which data exfiltration is occurring. HC3 explains that breach notifications to the HHS show 28.5 million records were exposed in the second half of 2022, up 21.1 million records from 2019. Across all 588 reported data breaches in 2022, more than 44 million patient records were exposed. At least 24 healthcare ransomware attacks occurred in 2022 impacting operators of 289 U.S. hospitals, and sensitive data were exfiltrated in 70% of those attacks.

Data exfiltration is not limited to ransomware attacks. Data theft is common in attacks involving other types of malware, such as information stealers, and several cyber threat groups have emerged that concentrate on data exfiltration and extortion, including the Donut Leaks, Karakurt, and the Lapsus$ threat groups. Nation-state-sponsored Advanced Persistent Threat Actors often gain persistent access to networks and remain undetected for years in order to exfiltrate sensitive data over extended periods. One attack, identified by WithSecure, saw the Lazarus APT group steal more than 100GB of sensitive data from the medical research and technology sector before being detected. As more organizations move from on-premises to cloud storage, threat actors have also been increasingly targeting cloud resources to steal data, and often delete cloud backups to prevent recovery from ransomware attacks.

Data exfiltration is often the most harmful aspect of a healthcare cyberattack. In addition to hardening defenses to prevent initial access to networks, network defenders should be monitoring for attempted data exfiltration and should take steps to prevent, block, and limit data exfiltration. HC3 has made several recommendations in the alert, including high-level mitigations such as integrating security awareness and security best practices, evaluating risks associated with every interaction with computers, applications, and data, and conducting periodic audits to verify that security best practices are being followed.

HC3 also recommends implementing monitoring systems that generate alerts about unusual data access, data movement, unsanctioned software and hardware (shadow IT), and unauthorized data access, and ensuring logs are generated by networks, workstations, servers, email, databases, web applications, firewalls, authentication services, and cloud resources. Those logs should be managed centrally and closely monitored. While data exfiltration by cyber actors is commonplace, employees should be monitored closely, especially departing employees. Access to resources should be promptly terminated and extra attention should be paid to the activities of those individuals in the lead-up to their departure.

The post HC3 Sheds Light on Data Exfiltration Trends in Healthcare Cyberattacks appeared first on HIPAA Journal.

A joint cybersecurity advisory has been published by CISA and the FBI, sharing details of the tactics, techniques, and procedures (TTPs) used by the Royal ransomware gang and Indicators of Compromise (IoCs) to help network defenders better protect against attacks.

Royal Ransomware is a relatively new threat actor that was first observed conducting attacks in 2022. The group is believed to consist of highly experienced cybercriminals who are well-versed in conducting ransomware attacks, including operators that were once part of Conti Team One. Conti was one of the most prolific ransomware groups over the past 3 years and was formed by the group behind Ryuk ransomware. Royal has previously used the encryptors of other ransomware operations, then switched to using its own – Royal – in September 2022, and has now overtaken Lockbit to become the main player in the ransomware market.

Like Conti and Ryuk before it, the Royal ransomware group is focused on attacks in the United States, especially critical infrastructure entities, including those operating in the healthcare and public health sector. The group uses a variety of methods to gain initial access to victims’ networks, with phishing the most common initial access vector. Phishing has been used in 67% of known attacks, where employees at victim organizations are tricked into installing a malware loader via emails with PDF attachments, which deliver the Royal ransomware payload. The group is also known to use malicious adverts – malvertising – to direct traffic to websites where malware is downloaded.

Remote Desktop Compromise (RDP) has been used in around 13% of attacks and, to a lesser extent, the group also gains access to networks through public-facing applications and buys access through initial access brokers who harvest virtual private network credentials from stealer logs.  Once access is gained, the group downloads a range of tools to strengthen the foothold in victims’ networks, then escalates privileges and moves laterally, including leveraging PsExec for lateral movement. The group is known to maintain persistence using various remote monitoring and management tools, including AnyDesk, LogMeIn, and Atera, and has been observed using the penetration testing tool, Cobalt Strike, and Ursnif/Gozi for data exfiltration. The group uses Windows Restart Manager to identify where targeted files are in use or are blocked by other applications, uses the Windows Volume Shadow Copy service to delete shadow copies to hamper attempts to recover files without paying the ransom, and exfiltrates data to a U.S. IP address before triggering the encryption routine.

CISA and the FBI strongly recommend taking immediate action to improve defenses against attacks, including prioritizing and remediating known exploited vulnerabilities, training the workforce how to identify phishing attempts, and enabling and enforcing multifactor authentication. Full IoCs and TTPs are detailed in the cybersecurity alert. An Analyst Note on Royal Ransomware has also been published by the Health Sector Cybersecurity Coordination Sector.

The post Feds Share Technical Details of Royal Ransomware appeared first on HIPAA Journal.

In what is believed to be a first, the BlackCat ransomware gang has published naked images of patients that were stolen in one of its attacks on a healthcare organization in an attempt to pressure the victim into paying the ransom. Lehigh Valley Health Network (LVHN) recently announced that it was dealing with a ransomware attack that was detected on February 6, 2023. LVHN confirmed that the BlackCat ransomware group was behind the attack and had issued a ransom demand, payment of which would see the decryption keys provided and would prevent the release of data stolen in the attack. Brian A. Nester, LVHN President and CEO, confirmed that LVHN refused to pay the ransom and operations were unaffected.

Nester said the attack was on the network supporting a physician practice in Lackawanna County and the computer system involved stored clinically appropriate patient images for radiation oncology treatment and other sensitive patient information. “Attacks like this are reprehensible and we are dedicating appropriate resources to respond to this incident,” said Nester.

In an attempt to pressure LVHN into paying the ransom, BlackCat started leaking some of the stolen data on its data leak site. While data leaks are now common when victims of ransomware attacks refuse to pay the ransom, BlackCat took matters a step further and published patient images stolen in the attack. Images of three breast cancer patients, naked from the waist up, were published on the data leak site along with screenshots of patient data showing diagnoses. “This unconscionable criminal act takes advantage of patients receiving cancer treatment, and LVHN condemns this despicable behavior,” said LVHN spokesperson, Brian Downs.

The HHS recently issued a security advisory about the Blackcat ransomware group which actively targets organizations in the healthcare and public health sector and warned that the group engages in aggressive triple extortion tactics. While many ransomware groups use double extortion involving data theft and threats to release stolen data in addition to file encryption, BlackCat uses a third tactic – threatening to conduct Distributed Denial of Service Attacks (DDoS) on victims until they pay up.

BlackCat is not the only ransomware gang to try new tactics to get victims to pay up. The Medusa ransomware gang recently attacked the Minneapolis Public Schools (MPS) District, stole sensitive data, then encrypted files. When payment was not made, MPS was added to the group’s data leak site and a threat was issued to publish the entire trove of data stolen in the attack. The group issued a ransom demand of $1 million, with the data leak site also offering the stolen data to anyone willing to pay the same amount. In a novel twist, the group also published a video showing the data stolen in the attack. The video, which is 51 minutes long, was added as proof of the extent of the data exfiltrated from MPS’s systems.

Ransomware gangs have had to adopt more aggressive tactics as fewer victims are paying ransom demands. According to Coveware, in Q4, 2022, only 37% of victims paid a ransom following a ransomware attack, compared to 76% of victims in 2019. Coveware says several factors are driving the reduction in the profitability of ransomware attacks. Greater investment in security and incident response planning means organizations are better prepared for attacks and are less likely to suffer a material impact from a successful attack. The FBI and other law enforcement agencies are still pursuing the perpetrators of these attacks, but they are also now putting more resources into helping victims recover. Coveware also points out that as revenues fall, operating costs to carry out attacks increase, which means fewer ransomware actors can make a living from distributing ransomware and even large ransomware groups are feeling the effect, hence the need to adopt new tactics to pressure victims into paying up and improve the profitability of attacks.

The post Ransomware Gang Ups the Ante by Publishing Naked Images of Patients appeared first on HIPAA Journal.

A new guide has been published by the Health Sector Coordinating Council (HSCC) Cybersecurity Working Group and the U.S. Department of Health and Human Services (HHS) to help healthcare organizations align their cybersecurity programs with the NIST Framework for Improving Critical Infrastructure Cybersecurity.

The NIST Cybersecurity Framework is one of the most widely adopted frameworks for identifying and managing cybersecurity risks. The framework was released by NIST in 2015, updated in 2018, and the NIST CSF 2.0 is due for release later this year. The NIST CSF is based on five core functions – Identify, Protect, Detect, Respond, and Recover – and suggests cybersecurity controls that can be implemented in all five functional areas. The framework also includes four tiers against which organizations can rate their adoption of the framework, which allows them to communicate how there are achieving their cybersecurity objectives in a standardized way. The NIST CSF has become the standard cybersecurity framework for government agencies and private sector companies for managing cybersecurity risks.

The healthcare industry is extensively targeted by cybercriminal groups and nation-state actors and must defend against increasingly sophisticated and numerous threats. Healthcare organizations typically have fragmented infrastructures, legacy systems, huge numbers of applications, and must protect an ever-increasing number of network-connected medical devices. Consequently, many healthcare organizations struggle with managing cybersecurity effectively.

“Healthcare cyberattacks are among the fastest growing type of cybercrime – jeopardizing patient care, damaging the integrity of health care systems, and threatening the U.S. economy,” said Dawn O’Connell, HHS  Assistant Secretary for Preparedness and Response. “Health care organizations must safeguard their information technology systems to help prevent attacks and create a culture of cyber safety in the health care industry.”

According to the HSCC, a comprehensive cybersecurity framework – such as the NIST CSF – will “provide a common language and structure for discussions around risk and the methods and tools used to manage risk to a level that is not only acceptable to the organization but to other stakeholders such as business partners, customers, and industry and governmental regulators.” Healthcare organizations that base their cybersecurity programs on the NIST CSF can better direct capital, operational, and resource allocations to lines of business generating the greatest return on protecting assets/information and minimizing risk exposure.

While the NIST CSF has been developed to be suitable for organizations of all sizes in all industry sectors, some healthcare organizations have struggled to adopt the framework. The Cybersecurity Framework Implementation Guide is intended to help healthcare organizations adopt the NIST CSF and details specific steps that can be taken to immediately manage cyber risks to their IT systems and better protect against the full range of cyber threats. The guide will help healthcare organizations to assess their current cybersecurity practices and risks and identify gaps for remediation.

“With data breaches having doubled over the past five years and ransomware attacks reaching almost 400 in the same period, it is clear that the healthcare industry needs to up its game, said Bryan Cline, industry lead for the guide and Chief Research Officer for HITRUST. “Health industry stakeholders of all sizes and subsectors can reduce their cyber risk exposure by implementing this resource and many others produced by the HSCC and government partners.”

The Cybersecurity Framework Implementation Guide was jointly developed by the HSCC and the HHS, and NIST and other federal agencies contributed substantially to its content. “The guide supplements an earlier joint publication of the HHS/HSCC 405(d) Program – the ‘Health Industry Cybersecurity Practices’ –which is aligned with the NIST Cybersecurity Framework.  With this toolkit, organizations of all sizes can implement cybersecurity best practices, protect their patients, and make the sector more resilient,” said HSCC Cybersecurity Working Group Chair and Intermountain Healthcare CISO Erik Decker.

The post HSCC & HHS Release Guide to Help Healthcare Organizations Adopt the NIST Cybersecurity Framework appeared first on HIPAA Journal.

A new guide has been published by the Health Sector Coordinating Council (HSCC) Cybersecurity Working Group and the U.S. Department of Health and Human Services (HHS) to help healthcare organizations align their cybersecurity programs with the NIST Framework for Improving Critical Infrastructure Cybersecurity.

The NIST Cybersecurity Framework is one of the most widely adopted frameworks for identifying and managing cybersecurity risks. The framework was released by NIST in 2015, updated in 2018, and the NIST CSF 2.0 is due for release later this year. The NIST CSF is based on five core functions – Identify, Protect, Detect, Respond, and Recover – and suggests cybersecurity controls that can be implemented in all five functional areas. The framework also includes four tiers against which organizations can rate their adoption of the framework, which allows them to communicate how there are achieving their cybersecurity objectives in a standardized way. The NIST CSF has become the standard cybersecurity framework for government agencies and private sector companies for managing cybersecurity risks.

The healthcare industry is extensively targeted by cybercriminal groups and nation-state actors and must defend against increasingly sophisticated and numerous threats. Healthcare organizations typically have fragmented infrastructures, legacy systems, huge numbers of applications, and must protect an ever-increasing number of network-connected medical devices. Consequently, many healthcare organizations struggle with managing cybersecurity effectively.

“Healthcare cyberattacks are among the fastest growing type of cybercrime – jeopardizing patient care, damaging the integrity of health care systems, and threatening the U.S. economy,” said Dawn O’Connell, HHS  Assistant Secretary for Preparedness and Response. “Health care organizations must safeguard their information technology systems to help prevent attacks and create a culture of cyber safety in the health care industry.”

According to the HSCC, a comprehensive cybersecurity framework – such as the NIST CSF – will “provide a common language and structure for discussions around risk and the methods and tools used to manage risk to a level that is not only acceptable to the organization but to other stakeholders such as business partners, customers, and industry and governmental regulators.” Healthcare organizations that base their cybersecurity programs on the NIST CSF can better direct capital, operational, and resource allocations to lines of business generating the greatest return on protecting assets/information and minimizing risk exposure.

While the NIST CSF has been developed to be suitable for organizations of all sizes in all industry sectors, some healthcare organizations have struggled to adopt the framework. The Cybersecurity Framework Implementation Guide is intended to help healthcare organizations adopt the NIST CSF and details specific steps that can be taken to immediately manage cyber risks to their IT systems and better protect against the full range of cyber threats. The guide will help healthcare organizations to assess their current cybersecurity practices and risks and identify gaps for remediation.

“With data breaches having doubled over the past five years and ransomware attacks reaching almost 400 in the same period, it is clear that the healthcare industry needs to up its game, said Bryan Cline, industry lead for the guide and Chief Research Officer for HITRUST. “Health industry stakeholders of all sizes and subsectors can reduce their cyber risk exposure by implementing this resource and many others produced by the HSCC and government partners.”

The Cybersecurity Framework Implementation Guide was jointly developed by the HSCC and the HHS, and NIST and other federal agencies contributed substantially to its content. “The guide supplements an earlier joint publication of the HHS/HSCC 405(d) Program – the ‘Health Industry Cybersecurity Practices’ –which is aligned with the NIST Cybersecurity Framework.  With this toolkit, organizations of all sizes can implement cybersecurity best practices, protect their patients, and make the sector more resilient,” said HSCC Cybersecurity Working Group Chair and Intermountain Healthcare CISO Erik Decker.

The post HSCC & HHS Release Guide to Help Healthcare Organizations Adopt the NIST Cybersecurity Framework appeared first on HIPAA Journal.