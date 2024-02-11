



Cyberattacks remain a formidable threat to healthcare providers, and hackers are becoming more sophisticated.

Policymakers are trying to counter this. For example, in November, New York Governor Cathy Hochul announced a series of proposed cybersecurity regulations that would require hospitals to establish new policies and procedures to protect against ever-increasing cyber threats. And a few weeks ago, HHS released guidance outlining performance goals for voluntary cybersecurity in the healthcare sector. Although this initial guidance is voluntary, these goals may be used to inform his future HHS rulemakings.

In its guidance, HHS outlined 10 key goals to strengthen provider cybersecurity. These include mandating basic cybersecurity training, mitigating known vulnerabilities, strengthening email security, using multi-factor authentication, ensuring strong encryption, requiring unique credentials, and Credential revocation, separation of users and privileged users. These include managing accounts, establishing incident response plans, and investigating vendor cybersecurity.

These guidelines are a starting point toward a safer and more resilient healthcare system in the U.S., and others are adopting similar measures internationally, said CISO and Director of Google Cloud Office. , noted Taylor Lehmann, former CISO of athenahealth and Tufts. medicine. But he also believes that these regulatory efforts need to be combined with industry cooperation and information sharing to drive real, long-term change.

The benefit of cyber performance guidelines is that they show you where the ball will bounce next and what standards and expectations your organization should be working towards. It may not be today, but Lehman explained that what is in the HHS document is likely to be the content of new regulatory requirements that become actual final rulemaking or law.

Some hospitals are better equipped to achieve these cybersecurity goals than others. Although many hospitals have already begun digital transformation, many still use legacy IT systems.

The level of preparedness depends on the hospital's size, funding and IT security team resources, Lehmann said.

Important goals may seem like basic-level security things like multi-factor authentication and the use of unique credentials, but they are It was clearly not implemented properly, he declared. The basics aren't always easy, they can actually be very difficult.

Hospitals as a whole should focus on strengthening the use of identity as a control mechanism, Lehmann recommended. He said he was encouraged to see this emphasized throughout the HHS guidance.

Lehmann emphasized the importance of conducting penetration tests. This allows healthcare organizations to identify high-impact, low-effort methods through which attackers can gain entry, as well as simple remediation measures that are equally beneficial but must be implemented immediately.

Iterate and test and revise until your organization achieves a baseline of security controls and can afford to consider prioritizing voluntary goals, such as HHS' cybersecurity performance goals. Trust in systems, especially those that have not been evaluated, needs to be established regularly and continuously, he said.

Penetration testing, red teams, and other forms of technical assessment provide a realistic view of issues that need to be fixed immediately, Lehman explained. In his view, providers need to start implementing these processes regularly before more strategic conversations occur.

