New HHS Guidance Recommends Detection and Response

Editor’s Note: The Department of Health and Human Services (HHS) recently published new cybersecurity guidelines for the healthcare industry. Fred Langston, EVP of Healthcare Security, Professional Services and Product Management, provides a summary, including the HHS' new focus on detection and response.

 

In December 2018, the Department of Health and Human Services (HHS) published the “Health Industry Cybersecurity Practices (HICP): Managing Threats and Protecting Patients” publication. This new guidance offers cybersecurity best practices that healthcare organizations of any size can implement.

 


I’ve been doing health industry cybersecurity for a long time, which has led to my involvement in helping to craft cybersecurity policy for the healthcare industry. One of my first experiences was back in 1996, when I was part of the working group that provided guidance on the proposed HIPAA Security Rule. That rule established certain standards for security moving forward. The resulting risk-based approach was meant to allow the vastly different types and sizes of entities within the healthcare industry to use the standard.

Since then, a slew of much-needed regulations and guidance have come out with good information and mandates. However, without the tactical approaches to reduce the overall risk, we can’t move the security needle. The old maxim still holds: compliance does not equal security.

But following the new guidance could move the needle. In recent months, HHS has identified detection and response as a top area for organizations to address cybersecurity gaps and reduce risk by minimizing the impact side of the risk equation. Currently, most organizations focus on prevention which only addresses the likelihood part of the risk equation. In a world where we assume breach and understand that we are working to minimize damage from a foreseeable event, focusing on detection and response makes perfect sense.

Read on to see what HHS says and pick up 5 tips to address the recommendation.

HHS Guidance on 24/7/365 MDR

HICP focuses on improving the security and safety of patients by highlighting the five most relevant and current threats to the industry. It also recommends cybersecurity best practices to help mitigate these threats.

Table 1. Five Prevailing Cybersecurity Threats to Health Care Organizations

Threat

Potential Impact of Attack

E-mail phishing attack

 

Malware delivery or credential attacks. Both attacks further compromise the organization.

Ransomware attack

Assets locked and held for monetary ransom (extortion). May result in the permanent loss of patient records.

Loss or theft of equipment or data

 

Breach of sensitive information. May lead to patient identity theft.

Accidental or intentional data loss

Removal of data from the organization (intentionally or unintentionally). May lead to a breach of sensitive information.

Attacks against connected medical devices that may affect patient safety

Undermined patient safety, treatment, and well-being

Source: HICP Technical Volume 2: Cybersecurity Practices for Medium and Large Health Care Organizations, https://www.phe.gov/Preparedness/planning/405d/Documents/tech-vol1-508.pdf, page 5

 

To address the risk of these outcomes, the guide recommends that prevention strategies (already in place such as firewalls, anti-virus, employee training, etc.) should be augmented with the ability to detect the failure of those controls, and the capability to respond quickly and effectively to contain and minimize any threat to patient care. In turn, the guidance suggests that healthcare organizations can stay on top of information security by expanding Security Operations Center to a 24x7x365 model like authentic Critical Insight MDR from CI Security.

From the Guidance:

“In addition to the basic SOC practices already discussed, an organization’s move to more advanced security management should include expanding its SOC to a 24x7x365 model. In this model, the SOC is staffed and monitored 24 hours per day, 7 days per week, 365 days per year.

Fully outsourced: In the fully outsourced model, all SOC and threat actions are outsourced to a third-party provider who has the required infrastructure, staff, and capabilities. Such providers normally install sensors on your networks and use them to collect necessary log information that enriches detection and response activities. SOC analysts actively look for threats and provide your internal IR personnel with specific actions to take when threats are identified.

This model has the advantage of scale and capability. It is difficult to hire and retain qualified security analysts to provide this dedicated function. Additionally, organizations benefit from the shared intelligence discovered by the service provider’s other clients.” 

Experts have noted these suggested practices will likely become the standard for providers in upcoming years. It’s important for organizations to address the recommendations now to stay ahead of compliance requirements in the future.

The challenge arises with the operationalization of around-the-clock detection and response. Building an in-house Security Operations Center (SOC) is an expensive investment not all organizations can afford. With authentic Managed Detection and Response (MDR), CISOs and IT leaders can affordably outsource these functions and measurably reduce risk, improve IT and Security resource productivity, lower HR churn, and improve audit outcomes. When weighing costs and benefits, MDR is often the most financially viable option for Boards of Directors and Executives, who employ risk management strategies to determine budgets.

While budgeting, vendor selection, and procurement take time, health organizations can implement a use case for MDR by applying it as a positive factor for selecting 3rd party vendors and partners.

Overall, the HHS guidance offers suggestions that are ideal for all organizations who are continuously improving their cybersecurity programs. The suggested best practices are not necessarily expensive to implement. Want to implement some aspect of this guidance to your cybersecurity program? Contact us today to discuss your project.

5 Tips for Addressing the HHS Guidance

One of the biggest questions left unanswered with the guidance is not why, but rather how, to monitor, detect, and respond. In the earliest years of HIPAA Security compliance, this lack of tactical guidance was quickly identified as a weakness in the HIPAA Security Rule. Only since other regulatory regimes, like finance (FFIEC), Energy (NERC CIP), and Payment Card Industry (PCI) have provided specific requirements on what needs to be monitored, how often and what needs to be done what suspicious activity is detected, has the healthcare world come to accept that a rigorous programmatic approach to monitoring is an essential compliance element for HIPAA, even if it was always implied as such.

Whether you choose to source in-house, or outsource to a qualified MDR provider, these are the 5 key areas on which to focus to build out your detection and response functions. 

  1. Consider your telemetry. Develop requirements on what you want to “see”, and ensure you collect all relevant network flows, security technology alerts, endpoint activity, operational logs, and packet data to meet those requirements.

  2. Collect and store data in a secure location and provide adequate storage for the ‘back in time’ investigation ability that is appropriate to the magnitude of network activity.

  3. Implement a system to apply analytics and correlation/comparison algorithms to remove false positives. Note the need for an operator, as these systems require continuous maintenance and tuning.

  4. Provide analyst resources to investigate those events that were not dismissed as irrelevant. This can be qualified security analysts or, more commonly if not acquired as MDR, an additional body of work assigned to IT resources.
    • Experienced analysts can monitor the alerts that percolate up after tuning.
    • They also correlate events that could otherwise go undetected (IoT, remote access, beaconing, etc.)
    • They use their expertise to detect if the alert is yet a false positive, or whether it is a true anomaly that needs further investigation.
  1. When malicious activity has been identified (and ideally confirmed through event replay), the security analyst initiates an incident action plan to quarantine the affected asset to minimize dwell time and actual damage.
    • Response planning should cover everything from malware infection to loss of operational continuity.
    • Regular table-top exercises will help your team prepare for rapid response and test your IR plan. 

Authentic Detection and Response Solidifies Your Cybersecurity Program

If your security programmatic efforts already address the new guidance, you are doing more than most. If you are that proactive, you’re ahead of this curve.

But we know your cybersecurity job is bigger than just one project. The team at CI Security would like to help you improve overall security—we offer a one-stop-shop solution with an authentic managed detection and response solution. We also have consulting services to help organizations get started on their cybersecurity journey with a team of consultants who have extensive Healthcare industry experience and expertise. No matter where you are at, we’d love to help you reach your next goal. Contact us today.

Fred Langston

Fred Langston CISSP, CCSK

Executive VP of Professional Services

Questions about the new HHS Guidance?

Fred and his team of expert consultants are ready to help.