The New Health Law and Its Implications for Securing Healthcare Organizations

Earlier this year, H.R. 7898 was signed into Public Law No 116-321 amending the Health Information Technology for Economic and Clinical Health (HITECH) Act. The new statute requires that the U.S. Department of Health and Human Services (HHS) considers the extent to which HIPAA-covered entities and their business associates are prioritizing cybersecurity and implementing “recognized security practices" when HHS is assessing fines or penalties related to enforcement of the HIPAA Security Rule.

While the full scope of what officially constitutes a “recognized security practice” is still yet to be defined, the new law does explicitly identify two established industry standards and practices—including the National Institute of Standards and Technology (NIST) Cybersecurity Framework and “the approaches promulgated Section 405(d) Cybersecurity Act of 2015 (CSA)”.

These approaches are a clear reference to the CSA 405(d) Task Group, established through HHS’s existing Healthcare and Public Health (HPH) Sector Critical Infrastructure Security and Resilience Public-Private Partnership. Starting in 2017, the group convened with a mission to develop a common set of voluntary, consensus-based, and industry-led guidelines, practices, methodologies, procedures, and processes that healthcare organizations can use to enhance cybersecurity. In 2018, the Task Group published “Health Industry Cybersecurity Practices (HICP): Managing Threats and Protecting Patients”. Though published as voluntary practices, entities hoping to avoid HIPAA penalties will likely have a new reason to voluntarily adopt these if and when H.R. 7898 is fully implemented.

We helped shape cybersecurity best practices that the new law advocates for.

Palo Alto Networks and former Zingbox (acquired by Palo Alto Networks in September, 2019) security experts were honored to partner with both security standard-setting parties highlighted in the bill.

We have been intimately involved in the CSA 405(d) Task Group best practice development effort since its beginning. During the development of the HICP standards, we offered our expertise on cyber threat prevention in the healthcare sector, with a focus on best practices in medical device security. Based on our years of research and real world monitoring and protection of millions of medical devices, we worked with the CSA 405(d) Task Group members to identify unique cybersecurity challenges, and lay out vendor agnostic guidance to identify, monitor and secure the Internet of Medical Things (IoMT).

Palo Alto Networks involvement in the HICP development effort is just one example in our broader company commitment to shaping global security standards to reflect industry-leading capabilities. Beyond HICP, Palo Alto Networks also partnered with NIST and the National Cybersecurity Center of Excellence to produce Securing Picture Archiving and Communications Systems (PACS), a reference architecture demonstrating how Palo Alto Networks technologies can help healthcare organizations with asset management, access control, data security, continuous security monitoring and more for PACS systems. We’re also active partners with NIST and other standards organizations helping to define Zero Trust Architecture, 5G security, cloud, mobile device security and other security use cases relevant to healthcare organizations and across multiple other sectors.

Palo Alto Networks provides industry leading IoT Security capabilities that meet those standards.

This new law could not come at a more opportune time as the number of connected medical devices are increasing dramatically in healthcare organizations. The current pandemic with increased telehealth and remote patient services has also brought about new risks in the healthcare sector. IoMT devices are becoming an increasing threat vector in the most targeted industry for cyber attacks. The need to up-level adopting IoT security best practices could not be emphasized enough.

Palo Alto Networks has been at the forefront of identifying, monitoring and protecting both IT and IoT devices. Our latest Unit 42 2020 IoT Threat Report is based on two years of research into over 1.2 million IoT devices. The report highlighted a wide range of insights for security in healthcare environments, such as:

• 98% of IoT traffic is not encrypted
• 57% of IoT devices are vulnerable to medium- or high-severity attacks
• 83% of medical imaging devices run on unsupported operating systems

These numbers are alarming knowing that many of these devices are in critical operations, which can mean life or death in healthcare. These devices bring in increasing challenges in cybersecurity, with large quantities, large variety, lack of self-protection, large risk surface, and long equipment life cycle. Many traditional IT security technologies can’t be applied to IoT directly or don’t work effectively on IoT, such as installing an agent on each device, scanning, etc.

In addition to technical challenges, there are also organizational challenges. It is usually the biomedical team in charge of purchasing, managing, and maintaining medical devices with special expertise. IT and security teams are the ones with security expertise, but they often are not even allowed to touch these special-purposed medical devices.

Therefore, it is extremely important for healthcare providers to develop a systematic process with intelligent, integrated, and easy to use tools to automatically identify, monitor, and protect these devices 24 X 7. They should enable partnership among all stakeholders in the organization including biomedical, IT, security, procurement, finance teams and even facility or any other team that can bring in IoT devices.

Palo Alto Networks has developed a vendor-agnostic practical guide that can be quickly embedded in your IoT security planning process. Read the complete practical guide here to learn about the five must-haves for securing IoT devices, as shown in Figure 1.

The new law encourages cybersecurity best practices in healthcare and Palo Alto Networks can help as we are the leader in partnering with health providers. We offer the most comprehensive IoT security solution, integrating IT with IoT, providing visibility and enforcement on a single platform, and yet easy to deploy and use. We are here to work with you to secure your entire organization which ultimately means better patient services and safety in healthcare.

Register to watch our webcast on how you can “Protect Every Medical Device in Your Network”.

Anand Oswal serves as Senior Vice President and General Manager at cyber security leader Palo Alto Networks where he leads the company’s Firewall as a Platform efforts.