<img height="1" width="1" style="display:none;" alt="" src="https://px.ads.linkedin.com/collect/?pid=2849132&amp;fmt=gif">

Implementing HHS 405(d) HICP Microsegmentation in Clinical Networks

A Comprehensive Guide to Improve Cybersecurity Posture and Meet Regulatory Compliance in the Healthcare Industry
     

Executive Summary

Key Findings

  • Healthcare organizations face an increasingly complex cybersecurity landscape due to the proliferation of connected devices, sensitive patient data, and evolving cyber threats. This complexity underscores the importance of robust cybersecurity strategies, such as those outlined in the HHS 405(d) Health Industry Cybersecurity Practices (HICP) and the implementation of microsegmentation.
  • The HHS 405(d) HICP provides a voluntary set of federally recognized standards designed to improve cybersecurity in healthcare. Organizations that adopt these practices can gain regulatory benefits, such as mitigation of fines and favorable regulatory treatment, particularly when these practices are in place for at least 12 months prior to an investigation.
  • Microsegmentation is emerging as a powerful tool in the healthcare sector's cybersecurity arsenal. By isolating network segments, it limits the lateral movement of threats, protecting critical systems and data from compromise. An example of successful microsegmentation implementation in the healthcare sector is Bupa's Cromwell Hospital, where the deployment of Elisity's Platform resulted in significant improvements in the hospital's security posture.
  • Despite the benefits, implementing HHS 405(d) HICP and microsegmentation strategies can present challenges. These include managing device visibility and risk in clinical networks, meeting the regulatory requirements of the PATCH Act of 2022, and ensuring ongoing compliance with HIPAA.

Recommendations

Chief Information Security Officers (CISOs) and IT decision-makers within healthcare organizations should:

  • Understand the value of adopting the HHS 405(d) HICP standards and implementing microsegmentation in their cybersecurity strategies. Recognize the potential regulatory advantages, risk mitigation benefits, and enhanced protection for sensitive patient data that these approaches can offer.
  • Anticipate and plan for the challenges associated with managing device visibility and risk in clinical networks. This includes ensuring the security of unmanaged devices, legacy systems, and other potential vulnerabilities.
  • Align their cybersecurity strategies with the requirements of the PATCH Act of 2022. Understand how this legislation impacts their organization's cybersecurity responsibilities, particularly in relation to medical devices.
  • Continue to prioritize HIPAA compliance, even when implementing new cybersecurity practices. Remember that the HHS 405(d) HICP does not provide HIPAA relief and organizations can still face penalties for violating HIPAA.
  • Seek the guidance of trusted advisors and industry experts in navigating the complexities of healthcare cybersecurity. This includes not only understanding the technical aspects of implementing HHS 405(d) HICP and microsegmentation strategies, but also managing the broader organizational and regulatory implications.

Download this White Paper

Download this White Paper

    

Introduction

In today's digital healthcare landscape, the need for robust and effective cybersecurity measures has never been more critical. As Chief Information Security Officers (CISOs) navigate this increasingly complex environment, they must not only protect sensitive patient data and ensure system integrity, but also comply with an evolving set of regulatory requirements. It's a daunting task, but one that is absolutely vital to the success and credibility of any healthcare organization.

Healthcare networks are unique in their complexity and the value of the data they hold. Hospitals and healthcare facilities are increasingly dependent on a wide array of connected devices, from MRI and CT scanners to wearable patient monitors. These devices, while improving the quality and delivery of care, also introduce new vulnerabilities that can be exploited by cyber threats. In addition, the sensitive nature of patient data means that any security breach can have serious ramifications, not only for the affected individuals but also for the trust and reputation of the healthcare provider.

To help healthcare organizations navigate this challenging landscape, the Health and Human Services (HHS) issued the 405(d) Health Industry Cybersecurity Practices (HICP), a voluntary set of federally recognized standards that provide guidance for protecting healthcare networks against cyber threats. These practices were developed as a result of the Cybersecurity Act of 2015 and are intended to bring clarity and alignment to healthcare cybersecurity.

Furthermore, the rising adoption of microsegmentation as a cybersecurity strategy is demonstrating its value in managing complex network environments and limiting the lateral movement of threats. By isolating network segments, microsegmentation provides enhanced protection for critical systems and sensitive data.

This white paper provides an overview of the HHS 405(d) HICP, explores the benefits and challenges of implementing microsegmentation in healthcare networks, and offers insights on managing device visibility and risk assessment in clinical healthcare networks. It is intended to serve as a guide for CISOs and IT decision-makers in healthcare organizations, providing valuable insights to support them in their cybersecurity strategies.

   

Understanding HHS 405(d) HICP

The Health Industry Cybersecurity Practices (HICP), colloquially known as the 405(d) HICP, emerged from the Cybersecurity Act of 2015 as a response to the increasingly complex and threatening cybersecurity landscape facing the healthcare sector. The Act called for a more coordinated approach to cybersecurity within the industry, leading the Health & Human Services (HHS) to convene a task force of 200 information security officers, medical professionals, privacy experts, and industry leaders. The result of this collaboration was the creation of consensus-based guidelines, practices, and methodologies designed to strengthen healthcare against cyber threats.

The HICP is a voluntary set of federally recognized standards. Adoption and documentation of these practices can provide benefits in the event of audits by the Office for Civil Rights (OCR). In 2021, the HR 7898 bill was signed into law as an amendment to the HITECH Act, now known as Public Law 116-321. This law requires HHS to recognize the adoption of cybersecurity best practices, like 405(d) HICP. If a healthcare organization can demonstrate that they have had the 405(d) HICP in place for no less than 12 months prior to an investigation, it may result in the mitigation of fines and early, favorable regulatory treatment.

However, it's essential to note that 405(d) HICP is not a safe harbor and does not provide relief from HIPAA regulations. Healthcare organizations and their business associates must still abide by HIPAA rules, can be audited for violating HIPAA, and face penalties for non-compliance. The HICP does not replace the need for an organization to have established HIPAA policies and procedures, nor does it replace the need for risk analysis. Instead, the risk analysis process can be used to identify and prioritize the rollout of 405(d) HICP controls.

The practices and sub-practices outlined in the 405(d) HICP are broken down by the size of an organization—small, medium, and large. This tiered approach allows healthcare organizations of all sizes to apply these practices effectively and in line with their unique needs and capacities.

In 2023, HHS updated the HICP to reflect the evolving threat landscape and technology advancements. This updated version includes changes and additions that bring the recommendations current, keeping healthcare organizations informed and prepared to face the ever-evolving cyber threats.

In the next sections, we will delve deeper into one of the key practices recommended in the HICP—microsegmentation—and its role in improving cybersecurity in healthcare networks.

   

Leveraging Microsegmentation for Robust Healthcare Cybersecurity

Microsegmentation, a security strategy that partitions a network into multiple isolated segments or 'microsegments', serves as a formidable asset in healthcare cybersecurity. Each microsegment signifies a unique network component, governed by its independent set of security rules and controls. This architecture effectively 'boxes in' any potential intruder within the infiltrated microsegment, thwarting their attempts to laterally traverse the entire network and thereby minimizing potential harm.

The healthcare industry, characterized by its trove of sensitive data and plethora of connected devices, often falls prey to cyber threats. Medical devices, such as MRI and CT scanners, typically run on legacy systems, making them difficult to safeguard using conventional IT-based controls. The high-stakes nature of hospital services further entices cybercriminals. Consequently, microsegmentation emerges as a potent solution to fortify cybersecurity defenses in healthcare.

In the context of unpatched devices, microsegmentation shines as a particularly effective solution. By confining these devices to specific segments, any vulnerabilities they possess are contained within their assigned microsegment, thereby preventing their exploitation to compromise the broader network.

Microsegmentation brings forth a multitude of benefits for healthcare organizations:

  • Enhanced Security: Microsegmentation shrinks the attack surface by confining threats to isolated network segments, thereby shielding sensitive patient data and crucial healthcare services from wide-scale compromise.
  • Regulatory Compliance: By bolstering patient data protection, microsegmentation aids healthcare entities in complying with regulatory mandates such as HIPAA. Moreover, the adoption of recognized security strategies like microsegmentation evidences adherence to best practices like the 405(d) HICP.
  • Operational Continuity: Microsegmentation lets healthcare organizations bolster their security stance without interrupting their operational flow. By selectively controlling access to network segments, microsegmentation ensures that essential services remain unaffected even amidst a breach in a network segment.

Real-world case studies, such as the adoption of Elisity at Bupa’s Cromwell Hospital, underscore the value of microsegmentation in a healthcare context. Following its deployment, the hospital experienced marked improvements in safeguarding clinical devices and patient information against a spectrum of cyber threats, all the while maintaining operational continuity.

However, the implementation of microsegmentation can come with its own set of challenges. A thorough understanding of these hurdles and strategies to surmount them is crucial, which we will explore in the ensuing section.

    

Case Study: Bupa Cromwell Hospital’s Implementation of Elisity and Medigate

Healthcare institutions like Bupa's Cromwell Hospital are often at the forefront of cybersecurity, with a plethora of connected devices, highly sensitive patient data, and essential services. Medical devices like MRI and CT scanners often operate on legacy systems, making them challenging to protect with traditional IT security measures.

Bupa Cromwell Hospital, a state-of-the-art facility in London specializing in complex procedures and advanced care, was keen to improve its security posture against a new wave of threats, without disrupting operations. Bupa Group CISO Paul Haywood emphasized the company's dedication to patient data protection and its journey towards a cloud-dominant environment, which required effective management of policy and access.

Challenge

One of the significant challenges Bupa Cromwell Hospital faced was dealing with unmanaged devices, those without a software agent or additional IT control capabilities. These devices typically use old operating systems and cannot be patched or managed with traditional network security systems, making them preferred attack vectors for ransomware and other directed attacks.

Despite investing in a variety of solutions, the hospital struggled to gain deep visibility into the devices on its network and understand potential risks. They needed an all-encompassing view to quickly identify unmanaged devices and deploy policy without a substantial hardware refresh.

Solution

To address these challenges, Bupa Cromwell Hospital partnered with Elisity and Medigate to develop an advanced security solution for their infrastructure management. Elisity provided identity-based microsegmentation for the existing access layer switching infrastructure, requiring no additional hardware or network downtime. The Identity Graph by Elisity created context for effective security policy management by understanding users, devices, apps, and their relationships on the network.

Medigate, on the other hand, offered award-winning device discovery and risk assessment capabilities. By integrating these two platforms, the team identified policy gaps and developed microsegmentation and least privilege access policies mapped to device classes and user groups. This integration streamlined device identification, asset management, and ongoing policy maintenance while reducing the risk of security breaches for medical and IoT devices.

Outcomes

The Elisity and Medigate joint solution significantly benefited Bupa Cromwell Hospital. It delivered real-time visibility into medical devices, assessed vulnerabilities, and provided policy recommendations for efficient enforcement by Elisity. This streamlined policy management ensured a reliable approach to infrastructure management and protected patient information.

Cromwell Hospital CISO Alma Kucera reported that the implementation allowed them to manage traffic going into their medical devices and introduced layers of mitigation in defense and depth around the key risks identified.

According to Paul Haywood, Bupa's CISO, "In my 30 years of working in technology and security, I’ve never delivered a product into an environment and got instant benefit like we did with Elisity and Medigate."

This case study is an excellent example of how combining identity-based microsegmentation with device discovery and risk assessment capabilities can significantly improve healthcare organizations' cybersecurity posture, even in complex environments with a variety of connected and unmanaged devices.

    

Implementing Device Visibility and Risk Assessment in Clinical Networks

In healthcare environments, visibility and risk assessment of devices on the network is a critical aspect of effective cybersecurity. In many cases, healthcare networks include a mix of managed and unmanaged devices, such as medical imaging equipment, lab systems, and patient monitoring devices. These often operate on older operating systems and cannot be secured using traditional network security controls. Unmanaged devices, in particular, can present a significant risk as they may not be patchable or manageable in the same way as IT equipment, making them a favored target for cyber attacks.

Implementing device visibility and risk assessment involves a series of steps:

  1. Asset Discovery and Classification: The first step is to identify all devices on your network and classify them based on their function and importance to the organization. This could involve a mix of automated discovery tools and manual inventory processes.
  2. Risk Assessment: Once you know what devices are on your network, the next step is to assess the risk associated with each. This includes understanding the potential impact of a compromise to each device, evaluating the current security controls in place, and determining the likelihood of a threat.
  3. Prioritization: Based on the risk assessment, prioritize devices for further action. Devices that hold sensitive data or are critical to patient care may require more stringent security controls.
  4. Security Control Implementation: Implement appropriate security controls based on the risk assessment and prioritization. This might include access controls, encryption, regular patching and updates, or, in the case of high-risk unmanaged devices, isolation through microsegmentation.
  5. Continuous Monitoring and Adjustment: Cybersecurity is not a one-time effort but requires ongoing monitoring and adjustment. Regularly reassess the risk of devices, monitor for suspicious activity, and adjust security controls as necessary.

Microsegmentation plays a critical role in this process, particularly for unmanaged or high-risk devices. By isolating these devices into their own network segments, you can limit the potential impact of a compromise and provide an additional layer of security. The implementation of microsegmentation, however, requires careful planning and consideration, as we'll discuss in the next section.

     

The Impact of the PATCH Act of 2022

The PATCH Act of 2022 represented a significant step forward in the recognition and enhancement of cybersecurity in the healthcare industry. With the increasing frequency and sophistication of cyber threats facing healthcare organizations, the Act aimed to provide a legislative framework that would reinforce the need for stronger cybersecurity measures.

The Act mandated that all healthcare organizations must adhere to the HHS 405(d) Health Industry Cybersecurity Practices (HICP) and apply them in their cybersecurity strategies. This brought the HICP from a voluntary framework into a mandatory requirement for healthcare organizations, ensuring that a minimum set of cybersecurity practices is consistently applied across the industry.

However, it's important to note that the PATCH Act does not replace existing regulations such as HIPAA, but rather complements them, reinforcing the obligation for healthcare organizations to maintain robust cybersecurity practices. The Act also does not offer a 'safe harbor' from HIPAA requirements or penalties.

The PATCH Act also introduced a focus on the use of microsegmentation as a key cybersecurity control. This is especially relevant in the healthcare sector, where the diversity of devices in clinical networks presents a significant challenge. Microsegmentation has been recognized as an effective solution to isolate these devices, reducing the risk of lateral movement of threats within the network.

The requirement to implement microsegmentation requires healthcare organizations to invest in appropriate tools and solutions, as well as upskilling their teams or engaging external expertise to effectively manage these controls. This represents a significant shift in the approach to cybersecurity in the healthcare industry and emphasizes the need for proactive and preventative measures.

Overall, the PATCH Act of 2022 has not only increased the emphasis on cybersecurity in healthcare but has also clarified the expectations and requirements for healthcare organizations. The Act underscores the criticality of robust cybersecurity practices in maintaining patient trust, protecting sensitive data, and ensuring the continuity of essential healthcare services.

     

Navigating the Future of Healthcare Cybersecurity

As the landscape of healthcare evolves, so does the complexity of its cybersecurity challenges. The industry is increasingly reliant on a variety of connected devices and systems, each carrying sensitive patient data and requiring robust protection. Against the backdrop of stringent regulations and evolving threats, it is clear that the future of healthcare cybersecurity will be shaped by a continuous process of adaptation and innovation.

One of the key drivers in this journey will be the implementation and adherence to HHS 405(d) HICP guidelines. These provide a comprehensive framework to guide healthcare organizations in their cybersecurity efforts. With the PATCH Act making adherence to these guidelines mandatory, they will play an integral role in defining cybersecurity strategies moving forward.

Microsegmentation will undoubtedly be at the forefront of this transformation. As demonstrated by the PATCH Act's emphasis on this strategy, microsegmentation offers a potent solution to secure diverse clinical networks. By isolating devices and controlling access, it significantly reduces the attack surface and prevents the lateral movement of threats.

However, implementing microsegmentation and maintaining device visibility requires a thorough understanding of the technology and an ability to manage its complexity. This includes knowing how to conduct effective risk assessments, understanding the behavior of various devices in the network, and leveraging tools that can automate and streamline these processes.

Healthcare organizations must also maintain a keen focus on device security, especially for legacy devices that may be more susceptible to cyber threats. The need for device visibility and risk assessment has never been greater, and these should be key considerations in any cybersecurity strategy.

In this evolving landscape, the role of trusted advisors and experts cannot be understated. As CISOs navigate the complexities of healthcare cybersecurity, partnerships with those who can offer guidance, expertise, and innovative solutions will be invaluable.

The journey towards a secure healthcare future may be challenging, but with the right understanding, strategies, and partnerships, healthcare organizations can effectively manage cyber risks while continuing to deliver critical services. As we look to the future, the focus should be on continuous learning, adaptation, and vigilance in the face of evolving cyber threats.

       

Action Plan for CISOs

As the cybersecurity landscape continues to evolve, it's essential for Chief Information Security Officers (CISOs) to stay ahead of the curve. To help navigate the complexities and manage the risks associated with cybersecurity in healthcare, here's a step-by-step action plan:

  1. Understand HHS 405(d) HICP and its Benefits: Familiarize yourself with the Health and Human Services (HHS) 405(d) Health Industry Cybersecurity Practices (HICP). Understand the value it provides, including its potential regulatory benefits and the improved security posture it can foster within your organization.
  2. Implement Microsegmentation: Consider the implementation of microsegmentation strategies as a part of your cybersecurity framework. This can provide enhanced protection for your network by limiting the lateral movement of threats and protecting critical systems and sensitive data.
  3. Manage Device Visibility and Risk: Establish a robust system for managing device visibility and risk within your clinical networks. This includes ensuring the security of unmanaged devices and legacy systems that can be potential vulnerabilities.
  4. Align with the PATCH Act of 2022: Understand the requirements of the PATCH Act of 2022 and align your cybersecurity strategies accordingly. Ensure that your organization is prepared to handle the cybersecurity responsibilities related to medical devices as outlined in this legislation.
  5. Prioritize HIPAA Compliance: Despite the implementation of new cybersecurity practices, continue to prioritize HIPAA compliance. Be mindful that the HHS 405(d) HICP does not provide relief from HIPAA regulations and violations can still result in penalties.
  6. Seek Expert Advice: Given the complexities involved, consider seeking the guidance of trusted advisors and industry experts in healthcare cybersecurity. They can provide valuable insights into both the technical aspects of implementing these strategies and managing the broader organizational and regulatory implications.
  7. Review and Update Regularly: Cybersecurity is not a one-time task but an ongoing process. Regularly review your cybersecurity practices and update them as necessary to address evolving threats and changing regulations.

By following this action plan, CISOs can ensure they are taking proactive steps to bolster their organization's cybersecurity posture, protect sensitive patient data, and comply with regulatory requirements.

      

Conclusion

Healthcare organizations are at the crossroads of rapid technological evolution and increasingly sophisticated cyber threats. In this landscape, cybersecurity is no longer a supporting function but a critical enabler of healthcare delivery. As the industry continues to advance, organizations must adopt robust, agile, and efficient cybersecurity strategies.

HHS 405(d) HICP has emerged as an essential guiding framework in this journey. They provide comprehensive, industry-specific guidelines that healthcare organizations can rely upon to enhance their cybersecurity posture. Implementing these guidelines, particularly the practice of microsegmentation, is crucial for protecting sensitive patient data, maintaining device visibility, and ensuring regulatory compliance.

However, adopting these practices is not a one-time event but an ongoing process. It involves understanding the intricacies of microsegmentation, conducting effective risk assessments, and adapting to the evolving behavior of devices in the network. Ensuring device visibility and security, especially for legacy devices, is a critical component of this process.

In conclusion, the future of healthcare cybersecurity is a path of continuous learning and adaptation. It is about harnessing the power of innovative technologies and practices, such as microsegmentation, to protect sensitive data and ensure the delivery of critical services. It is also about building partnerships with trusted advisors who can provide guidance and expertise in this complex journey. By embracing these principles, healthcare organizations can navigate the challenges of today and be prepared for the uncertainties of tomorrow.

Download this White Paper

Contributors:

dana-yanch

Dana Yanch

Director of Product Management

Sources:

2) Health Industry Cybersecurity Practices: Managing Threats and Protecting Patients (HICP 2023 Edition): U.S. Department of Health and Human Services
2) 7 Things Healthcare Leaders Should Know About 405(d) HICP: Clearwater Security & Compliance.
2) Health Industry Cybersecurity Practices: Managing Threats and Protecting Patients (HICP 2023 Edition): U.S. Department of Health and Human Services
3) What is HHS 405(d), and how can it help build cybersecurity readiness?: Healthcare IT News
Related Articles

From Our Blog

Stay up to date with what is new in our industry, learn more about the upcoming products and events.

Identity-Based Microsegmentation: Technical Insights from Network Field Day 36 #NFD36
Identity-Based Microsegmentation: Technical Insights from Network Field Day 36 #NFD36

Identity-Based Microsegmentation: Technical Insights from Network Field Day 36 #NFD36

4 min read
Zero Day Attacks, Zero Trust and Microsegmentation: How to Limit the Blast Radius
Blog Thumbnail - Blog Zero Day Attacks, Zero Trust and Microsegmentation: How to Limit the Blast Radius

Zero Day Attacks, Zero Trust and Microsegmentation: How to Limit the Blast Radius

3 min read
Understanding and Preventing Lateral Movement: A Strategic Guide for Enterprise Security Leaders
Blog Post Thumbnail Understanding and Preventing Lateral Movement

Understanding and Preventing Lateral Movement: A Strategic Guide for Enterprise Security Leaders

4 min read