MITRE publishes policy checklist for healthcare cybersecurity

The 17-step road map is meant to help sort out shared healthcare cyber hygiene responsibilities, giving policymakers and providers direction toward protecting patient safety in the face of cyber threats.
By Andrea Fox
10:47 AM

Photo: Christina Morillo / Pexels

MITRE has developed a new report in response to the policy paper, Cybersecurity is Patient Safety: Policy Options in the Health Care Sector, put forth by Sen. Mark Warner, D-Va. The new MITRE whitepaper collects insights and recommendations for improving cybersecurity – and thus patient safety – across the healthcare sector.

WHY IT MATTERS

MITRE's Cybersecurity and Patient Safety in the Healthcare Setting report addresses the following areas:

  • Improving our national cybersecurity risk posture in the healthcare sector.
  • Modernizing regulatory frameworks, including HIPAA security and privacy rules, to increase cybersecurity protections.
  • Developing the healthcare cybersecurity workforce.
  • Improving the cybersecurity capabilities of healthcare delivery organizations.
  • Emergency preparedness and response.
  • Cybersecurity in the healthcare at home setting.

The step-by-step report also includes links to relevant cyber frameworks and training sources.

MITRE says that as a federally-funded nonprofit research organization, its subject matter and technical experts bring "a unique perspective to this space" in their work with government and healthcare stakeholders to help address threats and inform defense planning.

"They identify and capture best practices for incorporating cybersecurity into the healthcare setting, fortify their institutions against cyber attacks and support the development of new cybersecurity policies to address emerging threats."

THE LARGER TREND

Cyberattacks that aim to shut down hospital and healthcare networks for ransom or to exfiltrate protected consumer and health data have caught the attention of policymakers.

In the line of fire are both healthcare organizations and technology companies like electronic health records vendor NextGen, which was hit with both a ransomware attack in January and the recent discovery of unauthorized access that exposed the consumer data of more than one million patients.

"Once a cyber-attack is confirmed it is critical for an organization to immediately respond and execute on effective playbooks and response procedures," advises Dave Bailey, vice president of security services at Clearwater.

"Organizations should assume a threat actor was active on the network, one or more accounts were compromised and data was exfiltrated. A critical part of the response and mitigation is to determine the impacts and prove you are no longer under attack," he told Healthcare IT News by email Wednesday when asked about NextGen's data breach.

"Healthcare entities should architect third-party risk management programs such that it creates a tiered approach to assessing vendors based on risk to patient safety. Top tier and high-risk vendors must demonstrate they have effective controls in place to protect patient information and enable the success of the organization and safe and quality outcomes," he said.

ON THE RECORD

"Implementing cyber hygiene practices is a shared responsibility across the federal government and private sector," MITRE's Center for Data-Driven Policy says in the report.

"The technologies that are bringing new innovations to healthcare are rapidly evolving and attackers are becoming more sophisticated. The process for creating cyber hygiene practices needs to be streamlined and agile to adapt to different clinical environments and varying levels of expertise, resources and computational capabilities. These practices must also be designed to not inadvertently interfere with patient safety." 

Andrea Fox is senior editor of Healthcare IT News.
Email: afox@himss.org

Healthcare IT News is a HIMSS Media publication.

Want to get more stories like this one? Get daily news updates from Healthcare IT News.
Your subscription has been saved.
Something went wrong. Please try again.