Cyber Risk Advisory

New HC3 Report Defines Security Assessments Needed for Healthcare Organizations During and After COVID-19

June 6, 2020
Blog Images 2022 06 05 Tile

The Health Sector Cybersecurity Coordination Center (HC3) recently delivered a report that defines and articulates the security assessments and information technology audits that should be considered during and after the COVID-19 pandemic.

According to the report, COVID-19 has required an increased need to collect and share information between providers, patients, hospitals, vendors and other organizations. This has led to an uptick in malicious cyber campaigns that are targeting healthcare facilities across the United States and United Kingdom.

HC3 emphasizes the necessity and importance of conducting ‘Security Assessments in Care Settings’ and defines the steps that should be taken, including:

  • Create a core assessment team
  • Review existing security policies
  • Create a database of IT assets
  • Understand threats and vulnerabilities
  • Estimate the impact
  • Determine the likelihood
  • Plan the controls

Additional security measures include:

  • Cyberattack simulation tests
  • Security scanning
  • Vulnerability scanning
  • Ensure supplier compliance
  • Proper Business Associate Agreements
  • Penetration testing

Information technology (IT) auditing in a healthcare environment is used to identify gaps and expose issues with the controls in current security systems, allowing organizations to address them before a cybercriminal takes advantage of system weaknesses. IT auditing will ensure compliance gaps or deficiencies are identified and recommendations for mitigating and resolving the compliance deficiencies are defined.

A final post-COVID-19 U.S. Department of Health and Human Services (HHS) recommendation concludes that when the pandemic normalizes, healthcare providers should conduct a thorough security assessment to identify and mitigate the new threat vectors and vulnerabilities introduced during the COVID-19 pandemic.

Fundamentally, the HC3 report follows the HIPAA Security Rule implementation specifications for:

  • Risk Analysis – 45 CFR § 164.308(a)(1)(ii)(A) {Security Assessment}
  • Risk Management - 45 CFR § 164.308(a)(1)(ii)(B) {Security Assessment}
  • Technical Evaluation – 45 CFR § 164.308(a)(8) {Vulnerability Analysis and Penetration Testing}
  • Non-Technical Evaluation - 45 CFR §164.308(a)(8) {IT Auditing}

The items noted in brackets above use the terminology applied in the HC3 report for an easy cross-reference to the HIPAA Security Rule.

The importance of the HC3 report and recommendations is the fact that threat vectors have changed due to COVID-19. The extended use of telehealth, and Office for Civil Rights (OCR) HIPAA enforcement discretion, has introduced temporarily-approved service platforms such as Zoom, Facetime, Facebook Messenger, etc. that may not meet HIPAA requirements and would need to be assessed for risks following the termination of the OCR action. The quarantine has introduced a massive work-from-home business continuity model which, in all probability, has not been considered in business continuity and disaster recovery planning.

When the pandemic subsides and the OCR rescinds enforcement discretion, organizations should make sure they follow the HHS recommendation to conduct a thorough security assessment of potential new threat vectors that may have been introduced by COVID-19.