HICP405(d): HIPAA Suggested Cybersecurity Best Practices

Recently Mike Pietig, General Manager of CompliancePro Solutions, and Chris Lyons, Director of Cybersecurity with CompliancePro Solutions discussed in a podcast by AEHIS about the ongoing push to include more #cybersecurity elements into the compliance framework for healthcare organizations. They also provided an overview of the Health Industry Cybersecurity Practices (HICP 405(d)) framework, how it came to be, and discuss the 10 control areas that are included in the HICP Cybersecurity Best Practices.

Transcript:

Mike: Hello and welcome to the CompliancePro Solutions podcast for today’s topic: HICP 405(d): HIPAA Suggested Cybersecurity Best Practices.

Mike: My name is Mike Pietig. I am the General Manager at CPS and I will be the moderator for this podcast.

Mike: With me today is Chris Lyons, Director of Cybersecurity with CompliancePro Solutions. CompliancePro Solutions provides Security, Privacy, and Compliance solutions. CPS provides security solutions to covered entities and business associates through Security Risk Assessments, Penetration Testing, and a SaaS Solution to help organizations identify their areas of risk and ensure they are HIPAA-compliant and secure. Chris – thank you for joining me on today’s podcast.

Chris: Thank you for having me today.

Mike: We will be asking Chris about HICP 405(d) Cybersecurity best practices.

Mike: What is HICP and why was it created?

Chris:

HICP - Health Industry Cybersecurity Practices
The Cybersecurity Act of 2015 facilitates voluntary, private-public cybersecurity threat information sharing and clarifies the National Cybersecurity & Communications Information Center (NCCIC) role in evaluating and responses to cybersecurity threats and risks
Voluntary cybersecurity standards for healthcare that are consistent with, but NOT a replacement for HIPAA security requirements – known as ‘Section 405(d)’
Guidelines detailing practical, cost-effective cybersecurity practices that can be implemented by healthcare organizations of all sizes and resource levels
These practices are called ‘Health Industry Cybersecurity Practices: Managing Threats and Protecting Patients’ (HICP)
These practices are built upon the NIST Cybersecurity Framework (CSF)
Controls and suggestions for practices are flexible and built to fit organizations of all sizes from small, medium, and large healthcare organizations.
This is an example of ‘proof of recognized security practices’ which are now being asked for by regulators (e.g., OCR), but also investors and cyber/liability insurance providers
In 2021 HITECH (2009) was amended with Public Law 116-321: “Under the law, when making determinations regarding fines for failure to comply with HIPAA requirements and standards or for wrongful disclosure of individually identifiable health information, the Secretary of HHS will have the ability to consider whether the covered entity or business associate has adequately demonstrated that for at least 12 months that it engaged in “recognized security practices.” Providing such flexible authority will allow HHS to consider mitigation in fines, result in early favorable termination of an audit, or mitigate remedies that would otherwise be a part of a corrective action plan for violation of the HIPAA Security Rule.”

Mike: If the 405(d) controls are a best practice and not required, why would a company implement them?

Mike: How is the framework set up and how would a company implement the 405(d) practices?

Chris:

1. Email Protection Systems – Implement controls to help limit the instances of Phishing emails (also Ransomware).

1. Education
2. Internal Phishing simulations

2. Endpoint Protection Systems – Implement Endpoint Protection.

1. Many full Anti-Virus systems have endpoint protection above the general AV properties
2. All systems that could contain sensitive data (ePHI) must be encrypted
3. Use MFA whenever possible for extra protection
4. Patch all systems regularly

3. Access Management – Implement systems that control access to all systems that could contain ePHI. Access control should include.

1. Limiting users' access to only the data they need to fulfill their job responsibilities (RBA)
2. Do not use generic (shared) accounts to access data or manage systems.
3. Review access to sensitive data regularly (random audits)
4. Only users with a need should have administrative rights

4. Data Protection and Loss Prevention – All data must be classified based on sensitivity.

1. Highly Sensitive
2. Sensitive
3. Internal
4. Public

5. Asset Management – Ensure all assets that could contain sensitive data are documented, tracked, and updated.

1. Asset ID
2. Host name
3. Operating System
4. MAC Address

6. Network Management – Networks must be deployed based on use and data that is within the network.

1. Segment networks by type to limit access to only those that have a business need and to limit the spread of attacks.
2. Restrict guest access. – Physical locations and electronic access.
3. IDS/IPS systems should be placed at the perimeter of your network.

7. Vulnerability Management – Processes must be in place to detect, identify, and remediate identified vulnerabilities.

1. Regularly scheduled vulnerability scans (internal)
2. Regular Web Application scanning (web portals, servers, applications)
3. Remediation starts with a regular patching cycle for all systems and applications
4. Risk ranking and remediation process of identified vulnerabilities

8. Incident Response – A fully developed incident response plan is essential to a Cybersecurity framework.

1. Develop a plan to meet the most common incidents (not everything that could ever happen)
2. Include incident types that are common (Ransomware, virus outbreak, phishing, etc), including how they would be remediated
3. Document the plan and how an incident is identified, declared an incident, the response, documentation, remediation, lessons learned, etc.
4. Join an information sharing and analysis organization or center (ISAC/ISAO)

9. Medical Device Security – Ensure medical device security processes are identified and documented (if applicable).
10. Cybersecurity Policies – Document all implemented Cybersecurity policies and procedures.

1. Roles and Responsibilities
2. Education and Awareness
3. Acceptable Use
4. Data classification
5. Personal devices
6. Laptop, portable, remote use
7. Incident reporting and checklist

Chris: These 10 practices are located on the HHS website – search for HICP

Mike: What are the key elements to think about when implementing a cybersecurity program?

Chris:

Effective leadership with a top-down acceptance of the program (Buy in)
A solid risk-based plan to identify adequate and cost-effective deterrents and technical controls/technology (cost vs benefit analysis)
Adequate funding to implement and support the program
A well thought out and documented Security plan
A knowledgeable leader implementing the program
A capable staff to monitor the program to identify and remediate risks

Mike: I know CPS includes these best practices in the solutions. If our audience is interested in learning more about CPS is helping organizations with their HIPAA or other security requirements and framework, where should they go to get more information?

Chris: Go to our website www.complianceprosolutions.com

Mike: Thank you for joining us for this discussion on the difference between being HICP 405(d): HIPAA Suggested Cybersecurity Best Practices.