The national and economic security of the United States relies very much on the functioning of critical infrastructure. This necessitated the President to issue an Executive Order (EO) 13636 in February 2013: Improving Critical Infrastructure Cybersecurity. This Order, in its entirety, directed the National Institute for Standards and Technology (NIST) to collaborate with stakeholders to develop a voluntary framework – based on existing standards, guidelines, and practices - for reducing cyber risks to critical infrastructure. One year after, precisely in February 2014, NIST released the Framework for Improving Critical Infrastructure Cybersecurity. This framework is being adapted/adopted in host of sectors, including the healthcare and public health (HAH) sector.

According to the Department of Homeland Security “In a Request for Information (RFI) issued on December 11, 2015, NIST is seeking information on:

ways in which the Framework is being used to improve cybersecurity risk management,
how best practices for using the Framework are being shared,
the relative value of different parts of the Framework,
the possible need for an update of the Framework, and
options for long-term governance of the Framework” (dhs.gov)

In his submission for RFI, Dr. Patrick Gallagher of the American Hospital Association (AHA) said, “On behalf of our nearly 5,000 member hospitals, health systems and other health care organizations, and our 43,000 individual members, the American Hospital Association (AHA) appreciates the opportunity to comment on the Preliminary Cybersecurity Framework published in the Oct. 29 Federal Register.

Executive Order 13636, “Improving Critical Infrastructure Cybersecurity,” directed the National Institute of Standards and Technology (NIST) to develop the framework to “reduce cyber risk and help owners and operators of critical infrastructure identify, assess, and manage that risk.” Hospitals are included in the Healthcare and Public Health Critical Infrastructure Sector, one of 18 identified in the executive order. Under the order, the framework is voluntary for the private sector, although it is mandatory for federal agencies. However, the executive order contemplates the use of incentives for private sector owners and operators of critical infrastructure to encourage their adoption of the framework.” (aha.gov) Further, he urged that the final framework “remain flexible and strictly voluntary for the private sector, given the variability both across and within sectors” (aha.org). I share the AHA RFI below:

      “The final framework consider how the different critical infrastructure sectors might reconcile disparate cybersecurity implementation standards;  The federal government acknowledge that it will take time for changes to be accomplished across the large number and variety of actors in health care sector and allow sufficient time for the important sector-specific definitions, tools and processes to be developed and implemented appropriately; and  A detailed cross-walk to the Health Insurance Portability and Accountability Act (HIPAA) and Health Information Technology for Economic and Clinical Health Act (HITECH) requirements must be included directly in the final framework.

THE FRAMEWORK IS A USEFUL ORGANIZING TOOL

       The AHA agrees with the framework’s central tenet that an ongoing risk management approach to cybersecurity is the most appropriate, given the dynamic nature of information systems and the rapid pace of change. Health care delivery is an increasingly connected enterprise, and hospitals take seriously their responsibility to protect their information systems from unauthorized access and malicious attacks. While bringing tremendous efficiencies and innovations, interconnected information technology also introduces new types of vulnerability for inappropriate access to private information, and even criminal activity that can put individuals and institutions at risk. For example, billing systems use electronic transfers, medical devices upload vital statistics in real time to electronic health records, hospitals allow patients and visitors access to hospital WiFi as a courtesy, and patients are being provided access to protected health information via authentication on the Internet.

          The preliminary cybersecurity framework supports hospitals’ efforts to protect their information systems by providing a helpful, high-level structure for individual organizations to consider when addressing cybersecurity risk. Specifically, it identifies five core functions– identify, protect, detect, respond, recover – that must be part of a risk-based approach to manage cybersecurity, with specific categories of activity under each (such as asset management or access control). It then identifies existing guidelines and technical standards that support the individual recommended functions.

         Given that there are 18 diverse sectors that are considered to be critical infrastructure, the high-level approach used in the framework is appropriate. The “layered” format allows organizational leaders to focus on a process for risk management, while technical professionals can drill down into specific standards and other resources. However, we recommend that NIST also consider some of the potential cross-sector interactions that occur. For example, a hospital cannot run without power or water, and is reliant on the communications sector to be a first line of defense against cyberattacks. Similarly, the emergency services critical infrastructure sector cannot successfully respond to an incident without access to hospital emergency rooms. Accordingly, we recommend the final framework include not only voluntary standards for each critical infrastructure sector, but also considerations for how the sectors might reconcile disparate cybersecurity implementation standards.

       While organizational leaders will not have the technical skills to implement specific protections, they must incorporate cybersecurity into their overall risk management approach. To that end, the AHA continues to educate hospital leaders on the importance of cybersecurity. We have, for example, developed a primer directed specifically at hospital leaders urging them to incorporate cybersecurity into the organization’s overall risk management and reduction strategy, launched a new webpage with cybersecurity materials, and scheduled a webinar series about cybersecurity issues.

SECTOR-SPECIFIC WORK WILL BE NEEDED

       As cybersecurity awareness builds, there will be a clear need for sector-specific definitions, tools and processes that include best practice sharing and more specific help than the framework provides. The AHA is collaborating with the departments of Homeland Security and Health and Human Services in their public-private collaborations, including the Healthcare and Public Health Sector Coordinating Council, to work through health sector specific issues. The AHA also will work with other organizations within the health sector.

       A key priority for the collaboration should be leveraging existing tools before building new ones, and ensuring that all health care entities have access to solid guidance. It will take public and private sector actions to achieve the crucial goals of Executive Order 13636: “to enhance the security and resilience of the nation's critical infrastructure and to maintain a cyber-environment that encourages efficiency, innovation, and economic prosperity while promoting safety, security, business confidentiality, privacy, and civil liberties.” Furthermore, we urge the federal government to acknowledge that it will take time for changes to be accomplished across the large number and variety of actors in health care.

ADOPTION OF THE FRAMEWORK SHOULD REMAIN VOLUNTARY

        The AHA appreciates the urgency associated with building cybersecurity capacity and is engaged in building awareness of and a commitment to address cybersecurity issues among hospital leaders. However, we strongly believe that adoption of the framework must remain voluntary for private sector entities. We caution against a rapid move toward adoption of incentives that would essentially mandate adoption, particularly in the highly regulated health care space. We encourage the federal government to ensure a thorough dialogue with the health sector before any specific incentives are adopted. Further, we recommend that only positive incentives be contemplated, such as reduced premiums for cybersecurity insurance among those who have adopted the framework.

       We are concerned that mandatory compliance against a checklist of items would go against the nature of a risk-based approach that can be responsive to a changing environment. It also could create an onerous, compliance-oriented approach to cybersecurity, rather than encouraging achievement of broader goals. Furthermore, a punitive approach could have unintended consequences, such as denying resources to organizations that are struggling to keep up, undermining their ability to put a solid cybersecurity program in place.

DIVERSITY WITHIN AND ACROSS CRITICAL INFRASTRUCTURE SECTORS NECESSITATES A FLEXIBLE APPROACH

         The flexible approach taken by the framework is appropriate given the diverse institutions that are part of the nation’s critical infrastructure. The hospital field alone can range from very large academic medical centers to small rural hospitals with fewer than 25 beds. The resources available to this wide range of organizations vary, as does the scope of their networked environments, their current level of connectivity, and the level of risk from exposure to the Internet. In addition, different health care entities may have unique circumstances that affect their cyber risks, such as size, location and the specific services provided. Indeed, even within a single health care organization, such as a hospital, diverse components may have different risk profiles. For example, the lobby gift shop generally is not connected to the organization’s information systems that contain and communicate sensitive patient data. Accordingly, the flexible approach used in the draft framework should be preserved in the final version.

       For health care organizations, patient care is the primary objective. Hospitals and health systems are on a path toward increasing information sharing in support of better and more efficient care. Therefore, the Healthcare and Public Health Sector by necessity may have more critical system access points than other infrastructure sectors. For example, medical device companies, physician offices, insurers and individual patients may all interact with a hospital’s information systems. Therefore, it will be necessary for the health care sector itself to work to better define the entities and individuals who are part of the health care critical infrastructure. The NIST preliminary framework could help facilitate that important work if it explicitly acknowledged that a critical infrastructure entity, such as a hospital, must have the cooperation of all other entities that interact with its information system. These outside organizations also must engage in cybersecurity risk assessment and reduction activities. In the case of hospitals, for example, it will be important for the controls presented in the framework to flow down to medical device and IT vendors that create products that are attached to or integrated into a hospital’s network. These subsidiary actors also will need to implement appropriate access controls, logging systems and vulnerability remediation tools.

THE FRAMEWORK SHOULD REFERENCE EXISTING INFORMATION SECURITY RULES APPLICABLE TO HEALTH CARE ORGANIZATIONS

       In developing specific standards, NIST and others must be aware of the existing privacy rules specific to health care, especially the HIPAA and the more recent HITECH requirements, which include specific rules to protect the security of patients’ health information held in electronic form. That means the cybersecurity framework must be cross-walked to the specific requirements of the security rule issued under these laws. Cybersecurity involves much more than protecting patients’ medical information under HIPAA and extends to all financial, personnel and other networked systems. Nevertheless, a health care organization’s activities related to personal health information serve as a foundation to manage broader organizational risks related to cybersecurity. Inclusion of a detailed cross-walk to the HIPAA and HITECH requirements directly in the framework would ensure that contradictory and duplicative requirements are avoided.

Hospitals Implementing Cybersecurity Measures

        As hospitals increasingly use digital technology to gather, store and share patient information, they also must take steps to ensure data security. Results from the 2015 AHA Most Wired Survey show that the majority of hospitals are already taking many important security steps (see Fig. 1.0 below), while they continue to build out their capabilities. Digital health will continue to evolve, and increasingly leverage secure connectivity for patients, physicians and other care providers. In response to both these technology shifts and the complex regulatory environment, best practices will continue to spread and change over time. Security is not just a technical issue, and many different steps need to be taken to ensure that hospital policies and staff training support information system security. Hospitals also must ready their response plans for those occasions when incidents arise. Technical trends make clear that cybersecurity will be a growing issue for hospitals and their boards in the coming years. As a result, hospitals also will want to continue to build their capacity to keep information secure, identify threats and respond to incidents. The AHA has developed high-level resources for hospital leadership to help them navigate these issues, available at www.aha.org/cybersecurity.

Top Six Actions to Manage Hospital Cybersecurity Risks

1. Establish procedures and a core cybersecurity team to identify and mitigate risks, including board involvement as appropriate. 2. Develop a cybersecurity investigation and incident response plan that is mindful of the Cybersecurity Framework being drafted by the National Institute of Standards and Technology. 3. Investigate the medical devices used by the hospital in accordance with the June 2013 Food and Drug Administration guidance to ensure that the devices include intrusion detection and prevention assistance and are not currently infected with malware. 4. Review, test, evaluate and modify, as appropriate, the hospital’s incident response plans and data breach plans to ensure that the plans remain as current as possible in the changing cyber threat environment. 5. Consider engaging in regional or national information-sharing organizations to learn more about the cybersecurity risks faced by hospitals. 6. Review the hospital’s insurance coverage to determine whether the current coverage is adequate and appropriate given cybersecurity risks” (aha.org)

       Further, Information security risk assessment, an integral part of a risk management framework is a process in the healthcare delivery system that is on-going with the purpose to discover, correct, prevent and provide appropriate levels of security for information systems. The risk assessment will help healthcare and public health (HPH) sector “determine the acceptable level of risk and the resulting security requirements for each system.” HPH “must then devise, implement and monitor a set of security measures to address the level of identified risk. For a new system the risk assessment is typically conducted at the beginning of the System Development Life Cycle (SDLC). For an existing system, risk assessments may be conducted on a regular basis throughout the SDLC and/or on an ad-hoc basis in response to specific events such as when major modifications are made to the system's environment or in response to a security incident or audit” (mass.gov).
     According to the Executive Office for Administration and Finance, information “security risk assessments are an integral part of compliance with HIPAA security standards. Information security risk assessment are also part of sound security practices required by the Commonwealth Enterprise (CE) Information Security Policy. CE Covered Entities, and those who are Business Associates of CE’s, must comply with the HIPAA security rule, 45 CFR parts 160, 162 and 164. The HIPAA security framework calls for due diligence based on good business practices, for systems handling electronic protected health information (e-PHI). Creating an Information Risk Assessment Report satisfies the Rule’s requirements to analyze risks, formulate appropriate safeguards, and document the risk management decision-making process” (mass.gov).
      The risk assessment methodology (summary) adopted here is “based on the Centers for Medicare and Medicaid Services (CMS) Information Security Risk Assessment Methodology, developed by the federal Department of Health and Human Services, Centers for Medicare and Medicaid Services (CMS), which is available at www.cms.hhs.gov/it/security/docs/RA_meth.pdf. It is presented in three phases and illustrated in the task schedule (Table 1.0):

System Documentation Phase

Document system identification
Document system purpose and description
Document the system security level

The team must make a decision about where to draw the boundaries of the system to be assessed.

Risk Determination Phase

Identify threats
Identify vulnerabilities
Describe risks
Identify existing controls
Determine likelihood of occurrence
Determine severity of impact
Determine risk level

The team must decide whether to include only controls that are currently implemented, or to include controls that are budgeted and scheduled for implementation.

Safeguard Determination Phase

Recommend controls and safeguards
Determine residual (remaining) likelihood of occurrence if controls and safeguards are implemented
Determine residual severity of impact if candidate controls and safeguards are implemented
Determine residual risk levels

The Risk Assessment Report

A Risk Assessment (RA) Report applies to a selected information system. An information system is a group of computing and network components that share a business function, under common ownership and management. The Report will include:

A documented system inventory, listing all system components and establishing the system boundary for the purposes of the Report;
Documentation of the system's policies and procedures, and details of its operation;
List of threat / vulnerability pairs, with severity of impact and likelihood of occurrence;
List of safeguards for controlling these threats and vulnerabilities;
List of recommended changes, with approximate levels of effort for each;
For each recommended change, the resulting reduction in risk;
The level of residual risk that would remain after the recommended changes are implemented.

The Report will reflect the security policies and objectives of the agency's information technology management. It will be presented in a face-to-face meeting with the system business and technical owners, the risk assessment manager, and other project team members.

A Risk Assessment Report is not intended to create or include the following, however it should be used as input for:

A system security plan, new security architecture, audit report, or system accreditation;
System security policies, or assignment of staff responsibility for system security;
Detailed dataflow;
Exact dollar cost estimates or justifications;
Assignment or acceptance of legal responsibility for the security of the system;
In-depth analysis or resolution of specific security incidents or violations;
Contract review” (mass.gov)

(Table 1.0 Tasks chart, Mass.gov)

“Risk Determination Phase
Safeguard Determination Phase

The risk assessment report:

Summarizes the system architecture and components, and its overall level of security;
Includes a list of threats and vulnerabilities, the system's current security controls, and its risk levels;
Recommends safeguards, and describes the expected level of risk that would remain if these safeguards were put in place;
Shows where an organization needs to concentrate its remedial work;
Can be used as input to the agency's business continuity plan;
Presents these findings to management

The risk assessment team comprises

Risk assessment manager

System or network administrator

Technical reviewer

Systems business owner

System technical owner

Executive sponsor

Information security officer” (mass.gov)

In addition, “The Healthcare and Public Health (HPH) Sector constitutes a significant portion of the U.S. economy. Privately owned and operated organizations comprise the vast majority of the sector and identify themselves with the delivery of healthcare goods and services. The public health component consists largely of government agencies at the Federal, State, local, tribal, and territorial levels. Due to the diffuse nature of the sector, there are many targets for potential attack that are exceptionally hard to protect. A breakdown in the healthcare infrastructure would result in a significant impact on the economy, a loss of human life, and a breakdown in other critical sectors. To help manage this risk, HHS and its government and private sector partners developed a Healthcare and Public Health Sector-Specific Plan (HPH SSP). The HPH Sector continues to take steps to better understand risks to the sector from all hazards. To address these risks, the sector is implementing risk mitigation activities (RMAs) at all levels of government and the private sector. RMAs described in its SSP include the following: Federal cooperative agreement programs such as the Public Health Emergency Preparedness Program, which builds State, • territorial, and local health department resilience; and the Hospital Preparedness Program (HPP), which builds resilience at healthcare facilities; Federal regulatory programs such as the Select Agent Program, which oversees laboratories and other entities that possess, • use, or transfer certain biological agents and toxins; and Voluntary private sector initiatives such as Rx Response and the sector’s Medical Materials Coordinating Group, which work to • enhance supply chain resilience for drugs, biological products, and medical devices. The SSP represents a collaborative effort between the private sector; State, local, tribal, and territorial governments; nongovernmental organizations; and the Federal Government. This collaboration will result in the prioritization of protection initiatives and investments within and across sectors to deter threats, decrease vulnerabilities, and minimize the consequences of attacks and other incidents.

Finally, HITRUST Cyber Threat XChange (CTX) (Fig, 1.0, below, hitrustalliance.net). A creation of Healthcare and Public Health Sector “(protects all sectors of the economy from hazards such as terrorism, infectious disease outbreaks, and natural disasters), significantly accelerate the detection and response to cyber threats targeted at the healthcare industry. HITRUST CTX automates the process of collecting and analyzing cyber threats and distributing actionable indicators in electronically consumable formats that organizations of varying sizes and cyber security maturity can utilize to improve their cyber defenses”.

Fig 1.0 (hitrustalliance.net)

HITRUST Cyber Threat XChange (CTX); is designed to optimize the way organizations defend against cyber-attacks, by complementing traditional signature and anomaly based technologies, CTX delivers a data driven security approach that enables your existing security investments to function more effectively.

HITRUST CTX is available in multiple subscription levels – The basic subscription (available free of charge to qualified organizations*) includes the following features:

Advanced intelligence specific to the healthcare industry, including intelligence of the top threat actors observed targeting the healthcare sector
Suspicious domain registrations associated with organizations domain
Key word alerting for compromised credentials
Indicators of compromise (IOCs) specific to healthcare industry
Integrated sandboxing for malware analysis