Cybersecurity Program Assessment

We base our assessment on criteria defined in the Cybersecurity Act of 2015, Section 405(d), Health Industry Cybersecurity Practices (HICP).

HICP, a joint Health and Human Services (HHS) and industry-led initiative aims to increase awareness and foster consistency with cybersecurity practices recognizing the criticality of uninterrupted care delivery and patient safety. HHS continues to institutionalize cybersecurity as a key priority and is actively advocating the culture shift to treat cybersecurity as an enterprise issue. HICP provides technical guidance for small, medium, and large healthcare organizations.

Aligned with existing information and guidance (e.g. National Institute of Standards and Technology (NIST) Cyber Security Framework), HICP provides tailored and cost-effective guidance to ensure that the organization is appropriately addressing threats, in the right order (e.g., Roadmap), without overspending.

HICP’s collaborative process defines an appropriate common set of voluntary, consensus-based, and industry-led guidelines, best practices, methodologies, procedures, and processes to serve as a resource for cost-effectively reducing cybersecurity risks for a range of health care organizations.

HICP 405(d) references five key threats, 10 cybersecurity practices, and 89 sub-practices. Each cybersecurity practice has a corresponding set of sub-practices, risks that are mitigated by the practice, and suggested metrics for measuring the effectiveness of the practice.

We appreciate HICP’s guidance as it is consistent with our historical approach – focus on the most likely threats to be realized before trying to focus on everything all at once (aka “avoid boiling the ocean…”).

The following table identifies the HICP assessment criteria of the key threats and practices.

HICP Assessment Criteria

Key Threats

Practices (Tailored for the organization.)

  1. Email phishing attacks
  2. Ransomware attacks (or other malware)
  3. Loss or theft of equipment or data
  4. Insider, accidental or intentional data loss
  5. Attacks against connected medical devices that may affect patient safety

Beyond the five threats addressed in HICP, we will also address two additional threats:

  • Hacking
  • Vendor vetting/supply chain security
  1. Email protection systems
  2. Endpoint protection systems
  3. Access management
  4. Data protection and loss prevention
  5. Asset management
  6. Network management
  7. Vulnerability management
  8. Incident response
  9. Medical device security
  10. Cybersecurity policies

Approach Overview

tw-Security leverage HICP’s technical guide for a tailored approach to prioritize activities to manage real cyber threats across the HICP identified practices.

We execute a five-step process to conduct the assessment as follows:

  • Step 1: Review threat prioritization (See Key Threats in the table above.)
  • Step 2: Review practices tailored to mitigate the core threats
  • Step 3: Determine gaps compared to recommended practices
  • Step 4: Identify improvement opportunities and implementation recommendations
  • Step 5: Complete knowledge transfer

The HICP Cybersecurity Report includes a summary of findings, metrics, and prioritized improvement initiatives. The report will serve as a roadmap to decrease risk (key threats) and increase the organization’s Cyber Security Program maturity. Deliverables are formally submitted for final approval.

The following is the flyer of CSA 405(d) Managing Threats and Protecting Patients.