The Health Industry Cybersecurity Practices: Managing Threats and Protecting Patients (HICP) is a publication by the U.S. Department of Health and Human Services (HHS) for the 405(d) Program. It identifies five cybersecurity threats and recommends ten best practices that can be used to mitigate them. The HICP is based upon widely accepted and used frameworks, standards, methodologies, processes, and procedures vetted by healthcare and security professionals. The recommendations in the HICP are based on the National Institute of Standards and Technology (NIST) Cybersecurity Framework.
The five threats that the document details are:
Under the zero-trust network security paradigm, the definition of a successful cyber attack is not when the network perimeter is breached or an endpoint gets compromised, but when the ultimate goal of the cybercriminal is achieved: to exfiltrate and encrypt confidential data for ransom, steal patient information to sell it on the dark web, to sabotage healthcare delivery operations by wiping data or by attacking medical devices and operational technology. It is naive to believe that all initial breaches can be prevented, but it is wise to believe they can all be detected quickly and contained through identity-based microsegmentation and the enablement of continuous threat detection and response.
To attain their objectives, attackers need to be able to scan the network and move laterally while remaining undetected until they reach all of their targets. Elisity Cognitive Trust identity-based microsegmentation platform gives defenders the visibility and control platform to build least privilege access policies for users, devices and applications, and to deny attackers the springboards to progress their attack.
Elisity's solution accelerates microsegmentation projects without disrupting health delivery operations, without requiring endpoint agents, and without installing additional hardware. It secures endpoints, servers, IoMT, and OT devices in hospitals and clinics in an agentless way, using existing switches as policy enforcement points, and identity and telemetry sources as policy information points, following NIST Zero Trust Architecture and contributing to the goals of the HICP.
Medical Device and User Security Demo
Get in touch with us about your HHS 405(d) HICP compliance-related project and learn how you can accelerate it with Elisity Cognitive Trust.