The U.S. Department of Health and Human Services (HHS)' Office of Information Security and the Health Sector Cybersecurity Coordination Center (HC3) outlined steps healthcare organizations should take to improve their cyber posture.
The report, "Strengthening Cyber Posture in the Health Sector," detailed six cybersecurity strategies for healthcare security leaders to implement in their organizations.
1. Assess organizational security posture
Determining the organizational baseline for cybersecurity and continually reassessing cyber posture is key to discovering where gaps are in a healthcare organization. Including all information technology (IT) assets — from employee computers to Internet of Things (IoT) medical devices — in the assessment can help provide a complete picture of a healthcare organization's cybersecurity posture.
2. Monitor for network and software vulnerabilities
Employees should continually monitor for abnormal behavior within the organization's network, according to the report. Healthcare cybersecurity teams can also rely on vulnerability scanning technology, such as the resources provided by the Cybersecurity and Infrastructure Security Agency (CISA), for automated threat detection.
3. Create clear responsibility for risk management
The report emphasized determining exactly who in an organization is responsible for each risk facing the healthcare facility. By clearly defining risk and appointing specific people to be responsible for risk management, the organization can better track cyber risks and create a culture of security awareness.
4. Consistently assess gaps in security controls
By comparing their organization's cybersecurity posture to their peers, security leaders can identify gaps in their own programs. Constantly reassessing security controls can help identify possible vulnerabilities before they effect the organization.
5. Track key cybersecurity metrics
Healthcare cybersecurity leaders should define cybersecurity metrics that benefit and directly apply to their organizations, such as the progress of employee training, the security of IoT devices and other cybersecurity initiatives.
6. Develop incident response and disaster recovery plans
According to the report, healthcare cybersecurity leaders should create a crisis response team that can manage cybersecurity in the event of a security incident. The team should include members of the technology, communications, legal and business continuity departments. Conducting a tabletop exercise of a potential incident can help healthcare organizations identify gaps in their emergency response plan.
For more information, read the report.