Any organization in the healthcare industry knows that cybersecurity is a critical component of doing business. So much so, in fact, that any enterprise handling protected health information (PHI) must implement and maintain strict cybersecurity and privacy controls to protect patient data from unauthorized disclosure.
However, understanding that HIPAA is a requirement for operation doesn’t necessarily make compliance or effective cybersecurity much easier to implement. That’s why an initiative conceived by government agencies, known as the Health Industry Cybersecurity Practices (HICP), was put into action to align security along with government and industry best practices.
What is HICP?
In 2015, Congress passed the Cybersecurity Act as a way to align federal, state and local agencies concerning how they share and store information. This legislation was massive in scope and attempted to draw together laws regulating a significant number of agencies and businesses in several industries to promote best practices.
Part of this law, Section 405(d), “Aligning Health Care Industry Security Approaches,” mandates the creation of a 405(d) Task Group to create a set of voluntary and consensus-based cybersecurity guidelines and processes that support enterprises in the healthcare industry. The three core goals of this Task Group are:
- Reducing cybersecurity risks for healthcare organizations cost-effectively.
- Supporting voluntary adoption and implementation of best practices.
- Ensuring the availability of these actionable and relevant best practices to organizations and stakeholders of any size.
This group came together for the first time in 2017 with a steering committee comprised of members from:
- The National Institute of Standards and Technology (NIST)
- The Department of Health and Human Services (HHS)
- The Department of Defense
- The Department of Homeland Security (DHS)
- The Food and Drug Administration (FDA)
- The Department of Labor
- The Office of the Assistant Secretary for Preparedness and Response (ASPR)
Furthermore, several representatives from other agencies and private companies make up the remaining group membership, including members from organizations like:
- Synergy Healthcare Services
- University of Chicago Medicine
- Ohio Health
- Johns Hopkins and Johns Hopkins, All Children’s Hospital
- The Greater New York Hospital Association
- Wake Forest Baptist Health
- American Hospital Association
The guidelines published by this Task Group, free of charge, are called the Health Industry Cybersecurity Practices.
What Are the HICP Standards?
At the heart of HICP is the understanding that a standard set of basic and effective cybersecurity practices can serve the greater good of protecting patient information and supporting the three primary goals listed above.
To outline these standards, the 405(d) publishes two separate documents, titled “Technical Volume 1” and “Technical Volume 2”. These two documents, by and large, outline the same practices, with slight differences for mid-sized to enterprise organizations (“Volume 1”) and for small practices (“Volume 2”).
Across both documents, ten distinct practices are defined. These are:
- Email Protection Systems: Use business-grade email systems with proper security protections to protect PHI through encryption and access control mechanisms. Protect email accounts with multifactor authentication (MFA). Include alerts in professional reports to alert users to the presence of emails from external domains.
- Endpoint Protection Systems: Implement antivirus software. Disallow administrator access from endpoint devices. Encrypt data on endpoint devices, and protect those devices from unauthorized access with password, biometric authentication, or MFA solutions.
- Identity and Access Management: Require that users have a single, unique account, disallow generic or guest accounts, and restrict access to PHI or system resources using role-based access control systems. Use advanced authentication and authorization controls like MFA or Single Sign-On (SSO).
- Data Protection and Loss Prevention: Classify data based on its sensitivity and use cases (protected, public, internal, etc.). Implement data archiving and loss prevention protocols. Provide training and administration for employees to follow critical data loss prevention practices.
- IT Asset Management: Maintain active and ongoing asset inventories that include IP and MAC addresses, user deployment, physical location, and technical details. Have clear policies for the procurement and destruction of these devices.
- Network Management: Deploy secure network hardware from incoming network gateways to user access points. Use hardware and software security (firewalls, IoT security, etc.) to protect network traffic. Segment networks based on resource access and availability. Restrict or block access to local area networks from the public network.
- Vulnerability Management: Perform regular vulnerability scans on all networked resources containing PHI. Identify, remediate or mitigate vulnerabilities discovered by scans. Conduct regular patching and updates for all devices, servers, and applications. Perform regular penetration tests.
- Security Operations Center and Incident Response: Create and maintain an incident response plan to execute in the event of a security breach. Larger organizations can establish a Security Operations Center (SOC) function (either internally or through a provider) to ensure regular and ongoing security prevention and remediation efforts.
- Medical Device Security: Deploy any and all security measures listed above to remote medical devices processing PHI and other patient information.
- Cybersecurity Policies: Create comprehensive policies, procedures, and operations around cybersecurity that are regularly maintained and updated. Define roles and responsibilities in the organization around security and compliance.
Protecting PHI and Meeting Security and Risk in Healthcare with Continuum GRC
HIPC isn’t about compliance or mandatory regulations–it’s a set of best practices that you should be following if you’re in the healthcare industry
Continuum GRC provides critical security assessments, compliance support and risk management tools to support your organization’s healthcare cybersecurity efforts. This can apply to your approach to HICP suggestions and even HIPAA requirements.
Continuum GRC is cloud-based, always available and plugged into our team of experts. We provide risk management and compliance support for every major regulation and compliance framework on the market, including:
- NIST 800-53
- DFARS NIST 800-171
- SOC 1, SOC 2, SOC 3
- PCI DSS
- IRS 1075
- COSO SOX
- ISO 27000 Series
And more. We are also the only FedRAMP and StateRAMP authorized compliance and risk management solution in the world.
Looking to Get Started with HICP and HIPAA?
Continuum GRC is proactive cyber security®, and the only FedRAMP and StateRAMP Authorized cybersecurity audit platform in the world. Call 1-888-896-6207 to discuss your organization’s cybersecurity needs and find out how we can help your organization protect its systems and ensure compliance.