Cyber Risk Advisory
New HC3 Report Defines Security Assessments Needed for Healthcare Organizations During and After COVID-19
This content is provided "as is" and is more than a year old. No representations are made that the content is up-to date or error-free.
The Health Sector Cybersecurity Coordination Center (HC3) recently delivered a report that defines and articulates the security assessments and information technology audits that should be considered during and after the COVID-19 pandemic.
According to the report, COVID-19 has required an increased need to collect and share information between providers, patients, hospitals, vendors and other organizations. This has led to an uptick in malicious cyber campaigns that are targeting healthcare facilities across the United States and United Kingdom.
HC3 emphasizes the necessity and importance of conducting ‘Security Assessments in Care Settings’ and defines the steps that should be taken, including:
- Create a core assessment team
- Review existing security policies
- Create a database of IT assets
- Understand threats and vulnerabilities
- Estimate the impact
- Determine the likelihood
- Plan the controls
Additional security measures include:
- Cyberattack simulation tests
- Security scanning
- Vulnerability scanning
- Ensure supplier compliance
- Proper Business Associate Agreements
- Penetration testing
Information technology (IT) auditing in a healthcare environment is used to identify gaps and expose issues with the controls in current security systems, allowing organizations to address them before a cybercriminal takes advantage of system weaknesses. IT auditing will ensure compliance gaps or deficiencies are identified and recommendations for mitigating and resolving the compliance deficiencies are defined.
A final post-COVID-19 U.S. Department of Health and Human Services (HHS) recommendation concludes that when the pandemic normalizes, healthcare providers should conduct a thorough security assessment to identify and mitigate the new threat vectors and vulnerabilities introduced during the COVID-19 pandemic.
Fundamentally, the HC3 report follows the HIPAA Security Rule implementation specifications for:
- Risk Analysis – 45 CFR § 164.308(a)(1)(ii)(A) {Security Assessment}
- Risk Management - 45 CFR § 164.308(a)(1)(ii)(B) {Security Assessment}
- Technical Evaluation – 45 CFR § 164.308(a)(8) {Vulnerability Analysis and Penetration Testing}
- Non-Technical Evaluation - 45 CFR §164.308(a)(8) {IT Auditing}
The items noted in brackets above use the terminology applied in the HC3 report for an easy cross-reference to the HIPAA Security Rule.
The importance of the HC3 report and recommendations is the fact that threat vectors have changed due to COVID-19. The extended use of telehealth, and Office for Civil Rights (OCR) HIPAA enforcement discretion, has introduced temporarily-approved service platforms such as Zoom, Facetime, Facebook Messenger, etc. that may not meet HIPAA requirements and would need to be assessed for risks following the termination of the OCR action. The quarantine has introduced a massive work-from-home business continuity model which, in all probability, has not been considered in business continuity and disaster recovery planning.
When the pandemic subsides and the OCR rescinds enforcement discretion, organizations should make sure they follow the HHS recommendation to conduct a thorough security assessment of potential new threat vectors that may have been introduced by COVID-19.