Cybersecurity Program Assessment
We base our assessment on criteria defined in the Cybersecurity Act of 2015, Section 405(d), Health Industry Cybersecurity Practices (HICP).
HICP, a joint Health and Human Services (HHS) and industry-led initiative aims to increase awareness and foster consistency with cybersecurity practices recognizing the criticality of uninterrupted care delivery and patient safety. HHS continues to institutionalize cybersecurity as a key priority and is actively advocating the culture shift to treat cybersecurity as an enterprise issue. HICP provides technical guidance for small, medium, and large healthcare organizations.
Aligned with existing information and guidance (e.g. National Institute of Standards and Technology (NIST) Cyber Security Framework), HICP provides tailored and cost-effective guidance to ensure that the organization is appropriately addressing threats, in the right order (e.g., Roadmap), without overspending.
HICP’s collaborative process defines an appropriate common set of voluntary, consensus-based, and industry-led guidelines, best practices, methodologies, procedures, and processes to serve as a resource for cost-effectively reducing cybersecurity risks for a range of health care organizations.
HICP 405(d) references five key threats, 10 cybersecurity practices, and 89 sub-practices. Each cybersecurity practice has a corresponding set of sub-practices, risks that are mitigated by the practice, and suggested metrics for measuring the effectiveness of the practice.
We appreciate HICP’s guidance as it is consistent with our historical approach – focus on the most likely threats to be realized before trying to focus on everything all at once (aka “avoid boiling the ocean…”).
The following table identifies the HICP assessment criteria of the key threats and practices.
HICP Assessment Criteria |
|
Key Threats |
Practices (Tailored for the organization.) |
Beyond the five threats addressed in HICP, we will also address two additional threats:
|
|
Approach Overview
tw-Security leverage HICP’s technical guide for a tailored approach to prioritize activities to manage real cyber threats across the HICP identified practices.
We execute a five-step process to conduct the assessment as follows:
- Step 1: Review threat prioritization (See Key Threats in the table above.)
- Step 2: Review practices tailored to mitigate the core threats
- Step 3: Determine gaps compared to recommended practices
- Step 4: Identify improvement opportunities and implementation recommendations
- Step 5: Complete knowledge transfer
The HICP Cybersecurity Report includes a summary of findings, metrics, and prioritized improvement initiatives. The report will serve as a roadmap to decrease risk (key threats) and increase the organization’s Cyber Security Program maturity. Deliverables are formally submitted for final approval.
The following is the flyer of CSA 405(d) Managing Threats and Protecting Patients.