.st0{fill:#FFFFFF;}

Podcast

HICP Technical Guide Changes 2023 – Ep 406 

 May 12, 2023

By  Donna Grindle

Share0
Tweet0
Share0

Healthcare organizations are dealing with increasingly complex cybersecurity threats. With the use of technology and the presence of sensitive patient information, hackers see healthcare systems as valuable targets. Protecting healthcare systems is a major challenge. The 405(d) Task Group has updated their HICP guidance for small, medium and large organizations to help them better secure their networks and applications and manage risks to keep patient information safe.

A 5 star review is all we ask from our listeners.
1x
Apple PodcastsGoogle PodcastPlayer EmbedShare Review Us on Apple PodcastsListen in a New WindowDownloadSoundCloudStitcherSubscribe on AndroidSubscribe via RSSSpotify
Free HIPAA Training
Subscribe to the weekly email update from HMWH

I have read and agreed to your Privacy Policy

In this episode:

HICP Technical Guide Changes 2023 – Ep 406

Today’s Episode is brought to you by:

Kardon

and

HIPAA for MSPs with Security First IT

 Subscribe on Apple Podcast. Share us on Social Media. Rate us wherever you find the opportunity. 

Great idea! Share Help Me With HIPAA with one person this week!

Learn about offerings from the Kardon Club

and HIPAA for MSPs!

Thanks to our donors. We appreciate your support!

If you would like to donate to the cause you can do that at HelpMeWithHIPAA.com

Like us and leave a review on our Facebook page: www.Facebook.com/HelpMeWithHIPAA

If you see a couple of numbers on the left side you can click that and go directly to that part of the audio. Get the best of both worlds from the show notes to the audio and back!

Thanks to our donors.

HICP Technical Guide Changes 2023

[01:51] The 405(d) Task Group that David and I are a part of has released new changes to the Health Industry Cybersecurity Practices: Managing Threat and Protecting Patients, (HICP) guides. We are going to review some of the revisions and modifications made to the HICP technical volumes.

The key updates are included in the Executive Summary of Revisions and Modifications HICP Technical Volumes. Things like:

  • Cybersecurity threat: Email Phishing is now Social Engineering
  • Cybersecurity Practice #10: Cybersecurity Policies is now Cybersecurity Oversight and Governances
  • New sub-practices were added, including:
    • Cyber insurance (Cybersecurity Practice #10)
    • Cybersecurity Risk Assessment and Management (Cybersecurity Practice #10)
    • Attack Simulations (Cybersecurity Practice #7)
[04:40] There are some significant updates to Technical Volume 1 for small organizations, including:

  • Cybersecurity Practice #1: Email Protection Systems
    • Sub-Practice A: Email System Configuration – Updates and guidance regarding how to identify email solutions that have security safeguards built in and encouraging use of MFA.
    • Sub-Practice B: Education – Recommending having a process to follow whenever users receive suspicious email messages.
  • [13:38] Cybersecurity Practice #2: Endpoint Protection Systems – Sub-practice A: Basic Endpoint Protection Controls
    • Updates to managing administrative accounts on the network, auditing software applications and managing end-of-life operating systems.
    • Guidance on how to turn on vendor-supplied endpoint protection in hardware and software and securing remote access and VPN use for encrypting internet sessions.
    • Advice on communicating with IT about managing endpoints.
  • Cybersecurity Practice #4: Data Protection and Loss Prevention – Sub-Practice B: Procedures
    • Revisions to health information small organizations transmit across internet facing technology.
    • Further OCR guidance on sending unencrypted emails to patients that contain PHI.
    • Added a reference to Technical Volume #2 (for medium and large organizations) for more advanced technologies to safeguard information systems from unauthorized access.
  • [25:31] Cybersecurity Practice #6: Network Management – Sub-Practice C: Intrusion Prevention
    • Recommendation to get professional IT services to help manage intrusion prevention systems for the network.
  • Cybersecurity Practice #8: Incident Response – Sub-practice A: Incident Response
    • Revisions to align with resources, capabilities and needs of small organizations in developing incident response plans.
    • References were added for NIST and FTC guides for small business incident recovery.
    • A new table was created to describe the roles and responsibilities of an incident response team.
  • Cybersecurity Practice #10: Cybersecurity Oversight and Governance
    • Sub-practice B: Cybersecurity Risk Assessment and Management – Revisions to roles involved in risk assessments and in managing the security of technology.
    • Sub-practice C: Security Awareness and Training – Added FREE 405(d) Knowledge on Demand content for cybersecurity training. FREE!
    • Sub-practice D: Cyber Insurance – New sub-practice added for small organizations, but content same is the same as the revised sub-practice in Technical Volume #2.
[38:45] There were changes to the Technical Volume #2 for medium and large organizations, but it was not as extensive as the changes to Technical Volume 1 for small organizations.

We recommend, though, unless you are a tiny micro organization, look at and evaluate both the practices and sub-practices for small and medium sized organizations. If you are in the solid medium world and you have something you’re struggling with, go pull from small and use that as an entry level. You can move back and forth. There’s no rules here.

So, in Technical Volume #2 for medium and large organizations, the changes include:

  • Cybersecurity Practice #1: Email Protection Systems
    • Added some additional explanations for MFA
    • Recommendation to do ongoing and targeted training on phishing and spear phishing
    • Recommendation to appoint a change leader who oversees and manages changes, including workforce education on changes.
  • Cybersecurity Practice #2: Endpoint Protection Systems
    • New and revised implementation specifications about full disk encryption, hardened baseline images, patching, end-of-life management.
    • Explanations on how to implement whitelisting as a security measure.
  • Cybersecurity Practice #4: Data Protection and Loss Prevention
    • More information on data classifications, disk-to-disk-to cloud backup strategies and mapping data flows.
  • Cybersecurity Practice #5: Asset Management
    • Added process of steps regarding procurement.
  • Cybersecurity Practice #7: Vulnerability Management
    • Added a change management sub-practice.
    • Added a framework that can help organizations with attack simulations.
  • Cybersecurity Practice #8: Incident Response
    • Added paragraph on usage of access logs within EHRs and EMRs in the User Behavior Analytics sub-practice.
  • [44:27] Cybersecurity Practice #9: Medical Device Security
    • Added IoT considerations specific to medical devices.
    • Added goals of risk mitigation for medical devices.
    • Added guidance for applying other practices already covered in HICP toward medical devices.
    • Added graphics to illustrate the need for asset discovery and security tools.
    • Added Zero-Trust model to discussion of endpoint protections.
    • Added steps for implementing and maintaining Identity and Access Management, including further explanation of Remote Access.
    • Added a section on micro-segmentation under Network Management.
    • Added risk-based approach to Vulnerabilities Management with an example Common vulnerabilities and Exposures (CVE) list.
    • Added guidance to address contract negotiations within Vulnerabilities Management.
    • Added information regarding the Department of Commerce’s National Telecommunications and Information Administration (NTIA) software bill of materials (SBOM) initiative.
    • Added section for Security Orchestration and Automated Response (SOAR).
    • Added content to explain a request for SBOM and Enterprise Architecture Diagram as part of a complete Vendor Assessment Package.
  • Cybersecurity Practice #10: Cybersecurity Oversight and Governance
    • Added Social Media to “Examples of Cybersecurity Policies for Consideration” table in the Policies sub-practice.

It is obvious that the technical volume for medium and large organizations are written for technical people. There were many debates on how to word the volume for small organizations and those who will be trying to implement those practices.

There are also suggested metrics to know how you’re doing in the medium and large that can be very helpful for you to review. It has very specific guidance and recommendations.

Go to top

The new HICP guides have been updated to ensure that the ten practices are relevant and actionable in today’s cybersecurity threat environment. Everyone needs to start somewhere to better protect your networks and devices from cyber attacks. The HICP guides are a great place to check your work and add security safeguards to your environment.

Remember to follow us and share us on your favorite social media site. Rate us on your podcasting apps, we need your help to keep spreading the word. As always, send in your questions and ideas!

HIPAA is not about compliance,

it’s about patient care.TM

Listener Survey

Special thanks to our sponsors Security First IT and Kardon.

Share 0
Tweet 0
Share 0

HelpMeWithHIPAA.com Is A
Collaborative Project

Created & Sponsored By: