Health Industry Cybersecurity Practices:

Managing Threats and Protecting Patients

Resources and Templates

Appendix C: Task Group Membership ............................................................... 10

Appendix D: Practices and the NIST Cybersecurity Framework........................ 14

Appendix E: Practices Assessment, Roadmaps, and Toolkit ............................. 39

Appendix F: Resources ....................................................................................... 43

Appendix G: Templates ...................................................................................... 50

Appendix A: Glossary of Terms

such as supervisory control and data acquisition systems, distributed control systems, and programmable logic controllers.

information that is stored on, processed by, or transiting an information system.

other territory or possession of the United States. The term ``non-Federal entity'' does not include a foreign power as defined in section 101 of

the Foreign Intelligence Surveillance Act of 1978 (50 U.S.C. 1801).

nonprofit entity, including an officer, employee, or agent thereof. The term ``private entity'' includes a State, tribal, or local government

performing utility services, such as electric, natural gas, or water services. The term ``private entity'' does not include a foreign power as defined

in section 101 of the Foreign Intelligence Surveillance Act of 1978 (50 U.S.C. 1801).

confidentiality, integrity, and availability of an information system or its information.

to result in demonstrable harm to the national security interests, foreign relations, or economy of the United States, or to the public confidence,

civil liberties, or public health and safety of the American people. An unauthorized modification of, unauthorized deletion of, unauthorized

exfiltration of, or unauthorized access to 100,000 or more individuals’ PII constitutes a “major incident.” OMB M-18-02 and subsequent OMB

Guidance: The loss of control, compromise, unauthorized disclosure, unauthorized acquisition, or any similar occurrence where (1) a person

other than an authorized user accesses or potentially accesses personally identifiable information or (2) an authorized user accesses or

potentially accesses personally identifiable information for an other than authorized purpose. Source: Department of Homeland Security DHS

Directives System Instruction Number: 047-01-006 Revision Number: 00 Issue Date: DECEMBER 4, 2017

mission/business processes will be sustained during and after a significant disruption. Source(s): NIST SP 800-34 Rev. 1; CNSSI 4009-2015 (NIST

Examples of Categories include “Asset Management,” “Identity Management and Access Control,” and “Detection Processes.” Source(s): NIST

Cybersecurity Framework

an information system to protect the confidentiality, integrity, and availability of the system and its information. Source(s): FIPS 200 (FIPS 199);

FIPS 199; CNSSI 4009-2015 (FIPS 199); NIST SP 800-128 (FIPS 199); NIST SP 800-137 (FIPS 199); NIST SP 800-18 Rev. 1 (FIPS 199); NIST SP 800-34

Rev. 1 (FIPS 199); NIST SP 800-37 Rev. 1 (FIPS 199); NIST SP 800-39 (FIPS 199, CNSSI 4009); NIST SP 800-60 Vol 1 Rev. 1 (FIPS 199); NIST SP 800-30

(FIPS 199, CNSSI 4009); NIST SP 800-82 Rev. 2 (FIPS 199)

modification, or destruction of the system.

multiple layers and missions of the organization. Source(s): CNSSI 4009-2015 (NIST SP 800-53 Rev. 4); NIST SP 800-39 (CNSSI 4009); NIST SP 800-

53 Rev. 4; NIST SP 800-30 (CNSSI 4009)

equipment or entity may be rendered inoperable or forced to operate in a degraded state; operations that depend on timeliness may be

delayed. Source(s): NIST SP 800-24

2015 (NIST SP 800-34 Rev. 1)

such as workstations and laptops against attack (e.g., antivirus, antispyware, anti-adware, personal firewalls, host-based intrusion detection and

prevention systems, etc.). Source(s): NIST SP 800-128

operations (including mission, capabilities, or reputation). Source: NIST Framework

an information system on an organization's operations, its assets, on individuals, other organizations, or on national interests. Source(s): DHS

Risk Lexicon, National Infrastructure Protection Plan, NIST SP 800-53 Rev 4

processes, stores, or transmits or that constitutes a violation or imminent threat of violation of security policies, security procedures, or

acceptable use policies. Source(s): NIST Framework

sensing, heating/cooling, lighting, motor actuation, transportation) to information networks (including the Internet) via interoperable protocols,

present two pieces of evidence – your credentials – when logging in to an account. Source: Back to basics: Multi-factor authentication (MFA)

local area network, wide area network, Internet). Source(s): NIST SP 800-53 Rev. 4

to fit the user’s specific environment and mission. Source(s): NIST SP 800-53 Rev. 4

Subcategories. Source(s): NIST Framework

systems. Source(s): NIST SP 800-82

is any access across a network connection in lieu of local access (i.e., user being physically present at the device). Source(s): NIST SP 800-53

organizational assets, or individuals resulting from the operation of an information system and includes: (i) the conduct of a risk assessment; (ii)

the implementation of a risk mitigation strategy; and (iii) employment of techniques and procedures for the continuous monitoring of the

security state of the information system. Source(s): FIPS 200

The most common form of router operates on IP packets. Source(s): NIST SP 800-82

the confidentiality, integrity, and availability of the system, its components, processes, and data. Source(s): NIST SP 800-82

but not limited to: joint ventures; business partnerships; outsourcing arrangements (i.e., through contracts, interagency agreements, lines of

side partners, demand-side partners, alliances, consortiums, and investors, and may include both contractual and non-contractual parties.

Source(s): DHS

system development, information technology services, outsourced applications, and network and security management. Organizations explicitly

include personnel security requirements in acquisition-related documents. Third-party providers may have personnel working at organizational

facilities with credentials, badges, or information system privileges issued by organizations. Source: NIST Special Publication 800-53 (Rev. 4)

PR.AC-7 Users, devices, and other assets are authenticated (e.g.,

PR.DS-5 Protections against data leaks are implemented

DE.CM-1 The network is monitored to detect potential cybersecurity

Many models exist to help enumerate priority and criticality based on risk. Below is a simple model that may be

followed:

The first step in implementing a threat centric approach to mitigate cyber-attacks is to evaluate and prioritize

the threats that are listed below. Organizations may have different perspectives on their threat susceptibility,

Both attacks lead to further compromise of the organization.

monetary “ransom.” May result in the permanent loss of

patient records.

Potential for equipment to be lost or stolen and lead to a

theft of patients.

Data Loss

Potential for data to be intentionally or unintentionally

removed from the organization. May lead to a breach of

Once you have selected the first threat to mitigate, the next step is to review the series of practices that exist to

1

2

3

4

8

9

10

As the practices in this document mitigate multiple threats, it is advisable to consider the practices that provide

the best breadth of protection, followed by the practices that provide the most depth to mitigate the threat.

Assess each identified gap to determine if the reviewed practices will provide sufficient protection for your

organization considering the projected cost to implement them. If it is determined to be a cost-effective

solution, then identify the practice for implementation.

interview-based assessment to evaluate an organization’s management of their dependencies.

Through the EDM assessments, organizations can learn how to manage risks arising from

external dependencies within the information and communication technology (ICT) supply

assessment based on standards, guidelines, and best practices. The assessment encompasses

architecture and design review, system configuration, and log file review, and sophisticated

analysis of network traffic to develop a detailed representation of the communications, flows,

owner’s network.

recovery activities. This service can be performed in conjunction with incident response services

if required.

through the www.us-cert.gov and www.ics-cert.gov websites. NCCIC designed these products—

part of the National Cyber Awareness System (NCAS)—to improve situational awareness among

threats and issues and general security topics. Products include technical alerts, control systems

advisories and reports, weekly vulnerability bulletins, and tips on cyber hygiene best practices.

The following templates ARE:

ARE NOT:

your own use and cut sections from it to paste into your own documents, or start with these if current

necessary to assure language is easy for your workforce members to understand.

This section includes various templates with a wide variety of style. However, in general, Policy and Procedures

often have key sections. Below is a description of methods of organization. Choose the format that works best

for your organization.

group together those policies that address workforce behavior. These may include topics like

Acceptable Use and Workstation protocols. Another category often grouped together would be

those policies governing HIPAA Security that are the responsibility of the Security Officer (versus

group together the technical systems specific policies, and/or those dealing with Incident Response

your chosen template has this section, users should change the titles to match their

organization’s terminology, organizational structure and division of duties. It is not practical

to list individual names, but tying together the titles of those responsible for certain

functions assures that all reading the document understand the individual(s) accountable

for assuring the policy is in place.

this section describes what the policy is trying to accomplish. Users should consider

including background descriptions in their final policies, as a guide to understanding the

issues and concepts behind the policy.

regulations for which a policy is needed prior to making substantive changes to the policy

sections of template documents.

augment and/or modify the procedure sections of these templates as necessary to fit their

organization/department’s way of doing things.

and explanation in applying the policy.

should be sure to include a Definitions section in their final privacy, security/cyber security documentation.

organization’s practices and to prove ongoing revision, having a Revision History is key. A routine annual review

Privacy and Security Toolkits. This document, and this section specifically are in no way recommending or

organizations:

To customize this template document, replace all of the text that is presented in brackets (i.e. “[” and “]”) with

text that is appropriate to your organization and circumstances. Many of the procedure statements below

[Organization name] has developed a series of privacy and security policies and procedures as well as a series of

Certain employees and contractors of [organization] use portable and mobile computing devices including

• Laptop Computers

• Tablet Computers

• iPADs or their equivalent

• Smartphones

• Other mobile devices [specify]

For work related tasks while traveling or at home. This sometimes entails remote access to our networks, to our

applications that create, store, maintain or transmit ePHI, or to websites that create, store, maintain or transmit

ePHI.

It is the policy of [organization] that all remote use and/or access will be done with established security

safeguards.

Procedure:

1. Laptops and [insert type of device(s)-for example, “Smartphone and Tablet”] that are assigned to

2. Laptops and [insert type of device(s)-for example, “Smartphone and Tablet”] must be configured with

4. The standard laptop and [insert type of device(s)-for example “Smartphone and Tablet”] configuration

15. Smartphones and tablets that are used to access, receive or transmit ePHI shall be configured to limit

Including privacy incidents or “wrongful disclosures” means the incidents can not only come from an

1. [ENTITY] maintains a comprehensive internal security control program, which is coordinated by the

Has incident been verified? Yes No

By Whom? When?

Who has been identified as the individual

responsible for committing the incident?*

Complete Risk Assessment Worksheet. What is

the level of probability (high, medium or low)

that the PHI was compromised?

If necessary, has Notification been completed? Yes. Date: No

Describe the corrective action plan to

mitigate:

1. What is the nature and extent of the PHI involved including the types of