HHS: Strong cyber posture crucial for health care organizations

Threat brief outlines steps to improve computer security in health care.

Health care systems must continue bolstering their cyber postures, the overall strength of organizational cybersecurity, according to the federal Department of Health and Human Services (HHS).

The cyber posture includes protocols for predicting and preventing cyber threats, and the ability to act and respond during and after attacks, said “Strengthening Cyber Posture in the Health Sector.” It is the latest threat brief published June 16 by HHS’ Health Sector Cybersecurity Coordination Center (HC3), which works with HHS’ Office of Information Security and the federal Cybersecurity & Infrastructure Security Agency (CISA).

The health care sector remains a popular target for cyberattacks because of the amount of data and relatively vulnerable computer systems, according to HC3. The cyber posture threat brief cited reports from the law firm Baker Hostetler, which published its “2022 Data Security Incident Response Report” in April, and the nonprofit analyst CyberPeace Institute, which in March 2021 published “Playing with Lives: Cyberattacks on Healthcare are Attacks on People.”

Good posture

HC3 advised the following steps to strengthen an organization’s cyber posture:

  • Conduct regular security posture assessments
  • Consistently monitor networks and software for vulnerabilities
  • Define which department owns what risks and assign managers to specific risks
  • Regularly analyze gaps in your security controls
  • Define a few key security metrics
  • Create an incident response plan and a disaster recovery plan

Reduce the likelihood

HC3 offered ways to reduce the likelihood of a cyber intrusion:

  • Validate that all remote access to the organization’s network, as well as privileged or administrative access, requires multi-factor authentication.
  • Ensure that software is up to date, prioritizing updates that address known exploited vulnerabilities identified by CISA.
  • Confirm that the organization’s IT personnel have disabled all ports and protocols that are not essential for business purposes.
    If the organization is using cloud services, ensure that IT personnel have reviewed and implemented strong controls outlined in CISA's guidance.

CISA offers free tools and services to increase cybersecurity. The federal Office of the National Coordinator for Health Information Technology also has a security risk assessment tool to conduct security risk assessments as required by federal rules and agencies including the Centers for Medicare and Medicaid Services.

Diverting payments

Beginning in 2020, there was a noticeable increase in the number of phishing and social engineering attacks that attempted to divert, or successfully diverted, wire transfers direct deposits and automated clearing house payments, according to the Baker Hostetler report. The firm reported that shift started in 2020 and continued last year.

Baker Hostetler offered its top five tips to prevent fraudulent transfers:

  • Use multifactor authentication (MFA) for remote access to online accounts, including email and payroll portals, and disable legacy authentication in your email tenant.
  • Train employees regarding phishing emails and common fraudulent fund transfer schemes.
  • Establish written policies and procedures related to authorization and approval of changes to wire transfer, ACH payment, and direct deposit information.
  • Design contract provisions with vendors and customers that require in-person or voice authentication for changes to existing wire transfer, ACH payment, and direct deposit information.
  • Research if something seems awry, look up the telephone number that you have on file for the email sender (not the contact listed in their email), and call the sender to confirm that what is being requested is legitimate.