A Better Line of Defense
By Selena Chavis
For The Record
Vol. 33 No. 1 P. 14
Experts weigh in on the NIST Cybersecurity Framework and where organizations are falling short.
The National Institute of Standards and Technology (NIST) is a nonregulatory agency of the US Department of Commerce responsible for implementing standards and best practices for cybersecurity and privacy. Central to its mission is the advancement of the NIST Cybersecurity Framework (CSF), a guide for helping public and private organizations implement systems and strategies for securing data at a time when bad actors are more present than ever across digital networks.
In health care, the stakes are higher than ever. The HIPAA Journal recently called out a report that suggests health care e-mail fraud attacks increased 473% from the first quarter of 2017 through the fourth quarter of 2018. Black Book found that more than 93% of health care organizations experienced a data breach from the third quarter of 2016 through the third quarter of 2019, and 57% had more than five data breaches during the same timeframe. Notably, 9.7 million records were compromised in September 2020 alone. By all accounts, the pandemic has made matters even more dire.
Consequently, health care organizations must identify the best ways of countering a rapidly evolving cyber threat landscape while at the same time advancing mission critical strategies. It’s a challenging prospect for the average resource-strapped C-suite, one that some industry experts say can easily fall short of optimal safeguards.
According to Ron Moser, CISA, CRISC, CCSFP, CHQP, senior reviewer and practitioner with the Electronic Healthcare Network Accreditation Commission, health care organizations must allocate limited resources judiciously. “This includes their proper allocation for addressing cybersecurity risks. It is nonproductive to attempt to implement all the highest-rated cyber protections in all areas,” Moser explains. “Rather, each critical asset must be identified, its value determined, its risks assessed, and protections be implemented based on these assessments. The NIST CSF provides a risk-based approach that may be used for this, organizing controls into five concurrent and continuous functions: identify, protect, detect, respond, and recover.”
Implementing NIST Core Elements: A Deeper Look
More clearly defined, the five core elements of the NIST CSF are the following:
• Identify: developing an organizational understanding to managing cybersecurity risk to systems, people, assets, data, and capabilities;
• Protect: outlining appropriate safeguards to ensure delivery of critical infrastructure services;
• Detect: defining appropriate activities to identify the occurrence of a cybersecurity event;
• Respond: defining and taking appropriate actions related to a detected cybersecurity incident; and
• Recover: identifying appropriate activities to maintain plans for resilience and to restore any capabilities or services that were impaired due to a cybersecurity incident.
According to Ty Greenhalgh, CEO of Cyber Tygr, the majority of health care organizations make the mistake of relying on the IT director to shoulder the responsibility of an NIST CSF implementation. Yet without executive leadership involvement at the board level, many organizations lack the proper prioritization from the top down needed for a successful implementation.
“Organizations need a practical approach for addressing cybersecurity challenges. Boards and executive management want better insight into how cybersecurity management decisions are made,” Greenhalgh says. “The NIST CSF bridges the communications divide between an organization’s leadership and the information technology and security teams, helps define cyber maturity targets, supports complex cyber risk management decisions, and improves board oversight of cybersecurity and cyber risk management programs.”
As a result, organizations need to identify their business objectives and high-level priorities to clearly define strategic decisions, scope of systems, and the assets that support the selected business line or process. “This initial step for a health care organization should be to understand their needs and how the framework can fit the organization,” Greenhalgh says, pointing out that technology-enabled processes that support automation of the CSF can go a long way toward helping organizations operationalize the framework in a sustainable way. “Closely examining an organization’s unique needs is critical since every organization faces different threats, vulnerabilities, and risk tolerances. The NIST CSF is designed to be open and flexible, providing the ability to address unique challenges.”
According to Lee Barrett, executive director and CEO of the Electronic Healthcare Network Accreditation Commission, when properly implemented, the NIST CSF supports controls that aid executives in their quest to address HIPAA compliance by organizing them into a continuous risk management and incident response framework. “The NIST CSF Framework can be used and adapted with many existing standards, guidelines, and practices, including those required by HIPAA,” he says.
Notably, the Office for Civil Rights (OCR) released a crosswalk in 2016 to help health care organizations identify mappings between the HIPAA Security Rule and NIST CSF. Additionally, while organizations may have aligned their security program to one or both approaches, the crosswalk can help identify any potential gaps. OCR states that “addressing these gaps can bolster compliance with the Security Rule and improve an entity’s ability to secure [electronic protected health information] from a broad range of threats.”
This is important, according to Greenhalgh, who pointed out that more than 80% of organizations that underwent a HIPAA audit by the OCR failed to meet its expectations for risk analysis and risk management. “Even today, OCR continues to find the failure to conduct a thorough risk analysis as one of the most frequent violations of the HIPAA Security Rule by organizations they review. Many times this is due to organizations settling for compliance-centric or checklist-focused cybersecurity processes rather than the broader collaborative engagement that should be undertaken to effectively identify and manage organizational risk, safeguard patient privacy, and protect business value,” he says, adding that some organizations lack a clear understanding of what a risk analysis entails, confusing this requirement with a gap or technical analysis.
Where Health Care Organizations Are Falling Short
While many organizations have implemented a cybersecurity program that aligns with NIST CSF, Moser says that it is easy to become complacent and not retain ongoing discipline in practice. As a result, opportunities to minimize threats are missed, and data breaches and other mishaps can occur.
“The organization must strive to combat this complacency by assuring a culture of security and privacy awareness by all workforce members, including management oversight and the implementation of rewards and appropriate penalties and sanctions,” Moser says.
Greenhalgh notes that many health care organizations are relying too heavily on perimeter security. “We need to be paying more attention to the activity that is occurring within the ‘walls of the castle.’ Organizations need to be integrating technologies that limit the activities of all network devices to only the functions required to complete their assigned tasks,” he suggests. “This is called Zero Trust and has been elusive until recently.”
The recent Cybersecurity & Infrastructure Security Agency alert AA20-302A, targeting the Health and Public Health Sector, provides an example of how bad actors are compromising hospitals, calling out how cyber criminals are using ransomware such as Ryuk and Conti to infect organizations from within.
“Determining which devices are communicating with malicious IPs associated with Ryuk is difficult when many device activities are not or cannot be monitored,” Greenhalgh says, pointing back to Zero Trust strategies. “Traditional security tools do not easily identify and manage vulnerabilities of medical and [Internet of Things] devices within hospitals. If vulnerable devices are detected, there are thousands and thousands of these devices that need to have controls implemented.”
Key findings from the Cybersecurity & Infrastructure Security Agency alert suggest that malicious cyber actors are specifically targeting the health care and public health sector with TrickBot and BazarLoader malware, often leading to ransomware attacks, data theft, and the disruption of health care services. In addition, the report notes that these issues are particularly of concern amid the COVID-19 pandemic.
An uptick in use of connected medical devices and remote operations during the pandemic has attracted more bad actors to the stage, Greenhalgh points out, adding that these types of solutions are not designed to include security. “They do not support antivirus software and are extremely vulnerable to hackers seeking access to health care organizations’ networks via Remote Desktop Protocol attacks,” he stresses. “There are tens of thousands of these susceptible devices in a hospital, each offering an open backdoor for ransomware attacks and patient harm.”
These devices can interact with the physical world in ways conventional IT devices usually do not. Greenbalgh says that the potential harm that can accompany such activities as administering drugs through an infusion pump needs to be explicitly recognized and addressed from cybersecurity and privacy perspectives.
In relation to increased risk introduced by COVID-19, Barrett traces some of the problem to organizations temporarily loosening certain controls related to teleworking, and, in some cases, authorizing the use of personal devices rather than company-issued equipment and company-managed workstations.
“Companies must quickly implement appropriate mitigating controls and, as soon as possible and practical, return to full company policy compliance,” Barrett says, pointing out that other challenges include the need to support more flexible work schedules due to other pandemic realities such as childcare. “This flexibility must be managed in a manner that ensures an acceptable level of ongoing support of company functions, including availability requirements, and incident detection and response.”
Barrett emphasizes that all five areas of the NIST CSF must be evaluated based on organizational risk. Without identifying and maintaining strong control of all critical assets, he believes an organization is unable to measure the risk of those assets in an ongoing manner. “Each asset must be protected based on identified threats, their likelihood of occurrence, and the impact of their occurrence. Incidents occurring against the assets must be detected and appropriately responded to, and effective recovery must be achieved within an identified maximum allowable duration,” Barrett says.
Best Practice Going Forward
Greenhalgh points out that Health and Human Services (HHS) convened a task group of 150 public and private experts in the field of health care cybersecurity and privacy under the directive of the Cybersecurity Act of 2015. The group was formed to help align the health care sector with the best practices for cybersecurity. A member of the task group, Greenhalgh notes that one outcome was the Healthcare Industry Cybersecurity Practices document, which outlines the five top cyber threats to health care and the 10 best mitigation practices.
“The controls in this document have been mapped to NIST CSF. It is an excellent place for small-sized organizations to start and for medium and large organizations to use as a framework in conjunction with the NIST CSF,” he says. “There are several other HHS workgroups that have produced documents that are designed to accelerate risk reduction.” (More information can be found at the Healthcare and Public Health Sector Coordination Council Cyber Security Working Group website at healthsectorcouncil.org/hscc-recommendations.)
In terms of connected devices, Greenhalgh suggests following the systems and solutions that have been implemented at the Mayo and Cleveland clinics. “It is a combination of point solutions that are integrated and designed to impact the discovery, monitoring, vulnerability management, securing, and utilization management of these assets,” he explains. “Like any new-generation technology, cross-departmental workflow needs to be redesigned. This shift in operations would be analogous to when HIM implemented the EMR or computer-assisted coding and clinical documentation improvement.”
Moser says conducting regular third-party assessments to ensure an objective review and to expose vulnerabilities that might not otherwise be discovered is a foundational part of any cybersecurity strategy. “It’s important to not simply focus on ‘passing’ such a review but, more importantly, to learn how to further strengthen cybersecurity hygiene throughout the organization. Formal third-party reviews from trusted certification and accreditation organizations are critical for gaining and assuring customer trust,” he says.
— Selena Chavis is a Florida-based freelance journalist whose writing appears regularly in various trade and consumer publications, covering everything from corporate and managerial topics to health care and travel.