The Health Information Trust Alliance (HITRUST) has issued guidance to help healthcare organizations set priorities for cybersecurity preparedness.
The guidance points to a subset of controls within the HITRUST Common Security Framework (CSF) to help organizations assess their cyber capabilities and readiness.
"As the sophistication and intensity of cyber attacks increases, HITRUST believes it is more critical than ever that healthcare organizations have the appropriate safeguards in place and a means by which to review their current level of preparedness," Daniel Nutkis, HITRUST CEO, said in an announcement.
The guidance classifies 135 CSF controls into three categories based on their assessed relevance to cybersecurity threats: most relevant, relevant and least relevant.
Some examples include:
- Most relevant: Review of user access rights, segregation in networks, mobile computing and communications, monitoring system use.
- Relevant: Management of removable media, outsourced software development, business continuity and risk assessment, learning from information security incidents.
- Least relevant: Clear desk and clear screen policy; termination or change responsibilities; securing offices, rooms and facilities.
The guidance stresses that cybersecurity protection differs from other requirements such as HIPAA, which is focused on privacy, and that any cybersecurity framework an organization chooses should be implemented as completely as possible.
The guidance is the early work of the HITRUST Cybersecurity Working Group, created in February after President Obama issued an executive order calling for a national effort to defend against cyber threats.
Last July, HITRUST launched the first analysis service of cyber attacks specifically for the healthcare industry. Called the Cyber Threat Analysis Service (C-TAS), it's a function of its Cyber Security Incident Response and Coordinator Center. The center was designed to enable the industry to collaborate and create a "community defense" model against cyber attacks.
Though hackers generally go after financial information they can use for identity theft or other financial fraud, experts recently have warned that gangs of hackers from China are targeting the intellectual property of drug and device makers, as well as business processes that improve healthcare efficiency.
Assessing the cybersecurity risks in your organization should be an "ongoing, constant, holistic type of approach where you're looking at your systems from the perspective of someone on the outside," Jared Rhoads, senior research specialist for CSC's Global Institute for Emerging Healthcare Practices, recently told FierceHealthIT.