Walk into any hospital in America and you can expect to see, more or less the same thing. Attentive staff, a doctor present, and triage capabilities for anything that might walk through those revolving doors.
One part of that confidence comes from the accreditation organizations that these Healthcare Delivery Organizations (HDOs) use to prove their capabilities. Accreditation organizations approved by the Centers for Medicare and Medicaid Services (CMS) in the United States have long mandated many different requirements for HDOs to achieve and maintain. Receiving the stamp of approval from one of these accreditation firms can make a difference in reimbursements from government agencies and maintaining compliance with a host of regulations.
Accreditation firms that have mostly focused on standards of care and operations are now turning their attention to the cybersecurity posture of HDOs. Recently, we wrote about a new Sentinel Alert from The Joint Commission (TJC) that discussed posture management. As HDOs face more cyber threats, the focus on cybersecurity from accreditation organizations should come as little surprise.
Another accreditation organization has also just released new guidance. DNV is an international HTM/CE/Biomed accreditation body and site-auditor. DNV goes beyond The Joint Commission rules with integrated ISO 9001 for quality management. Their guidance will be released in the 23-1 revision, targeted for October 6, 2023, of DNV’s National Integrated Accreditation For Healthcare Organizations (NIAHO) standards document. The inclusion of new language around cybersecurity is further proof that accreditation organizations are taking a harder look at specific guidance for HDOs seeking accredited status.
Unpacking DNV’s New Cybersecurity Guidance
DNV’s NIAHO® Accreditation Requirements, Interpretive Guidelines and Surveyor Guidance for Hospitals 23-1 revision includes a few key points about cybersecurity as a critical component of managing HDO security protocols.
The interpretive guidance DNV includes reads:
Security Vulnerability Assessment
There is no specific format required for the Security Vulnerability Assessment required by NFPA 99-2012 Chapter 13 and PE.4 (SR.3). The organization should utilize a format that meets its requirements/needs and that allows for the organization to meet the requirements of Chapter 13. Additional sources of information on conducting a Security Vulnerability Assessment can be found in the current edition of NFPA 730, Guide for Premises Security and IAHSS Healthcare Security Industry Guidelines.
Organizations are expected to address cybersecurity risks, including but not necessarily limited to, information technology systems, medical records, internet-connected and networked medical and facility equipment as well as equipment that can be accessed via external devices, such as USB drives.
Organizations are advised to consult the following resources to assist in developing their cybersecurity processes:
A few pages later, DNV also includes:
“In order to prepare for such an emergency, the organization shall conduct a hazard vulnerability analysis to identify potential emergencies or other circumstances that may impact the hospital and the community, including cybersecurity issues. The organization shall maintain documentation that this analysis has been conducted and that the organization has prioritized activities to address and prepare for these vulnerabilities.”
These two sections refer to two distinct core cybersecurity practices. The first refers to remediating vulnerabilities and risks in critical information systems. When an organization addresses cybersecurity risks, they are remediating issues through their technology architecture through practices such as limiting access by third parties, applying the principle of allowing the least privileged access for internal users, and ensuring that any systems that need to be segmented can be segmented.
The second component of the guidance – a hazard vulnerability analysis – refers to detecting potential security flaws in connected medical devices or software assets. The two most important components of DNV’s interpretive guidance here are to have the vulnerability analysis documented and to be able to have the identified vulnerabilities prioritized based on real impact on the business.
Why would DNV include these items around cybersecurity and not others?
For starters, the best cybersecurity programs are risk-based. Deploying specific tooling like an endpoint protection platform, a network firewall, SIEM for data analysis and others are of course important, but adding tools without understanding the risk of a real breach doesn’t provide better security. Resolving vulnerabilities reduces the number of possible attack paths, hardening technical infrastructures and making it more difficult for threat actors to breach critical systems. To get there, HDOs need to first identify vulnerabilities and then prioritize fixes based on risk scoring.
If DNV were to provide guidance on specific tooling, their guidance would not provide any substantial improvement in security. Besides that, often HDOs already have requests from their cyber insurance providers to have specific tools deployed. Offering up guidance around a risk-based approach is more in line with the role of accreditation organizations in providing higher-level guidance for their covered populations.
The Cybersecurity Trend Hidden in DNV’s Guidance
Traditional cybersecurity advice has focused on the solutions deployed within organizations. For HDOs, this has involved ensuring they deploy security tools throughout their systems and gathering data to monitor for threats. In terms of vulnerabilities, this thinking focuses on resolving every possible system weakness throughout the entire organization.
Adding new tools and resolving every possible vulnerability simply isn’t sustainable. That goes for any organization, HDO or not, and at any size company. Even the largest HDOs don’t have the staff to resolve all 20,000+ CVEs that are regularly identified every year. We hear of customers taking valid reports of devices with 1,000 vulnerabilities back to the manufacturer for discussion. With the average time to resolution sitting at up to 215 days according to some reports, patching every vulnerability isn’t realistic.
The cybersecurity profession at large has started to realize that. Right now, there’s an ongoing shift toward adopting a risk-based approach to vulnerability management. Rather than patching everything, organizations instead emphasize resolving only those vulnerabilities that are relevant to their operations. A risk-based approach to vulnerability management reduces the number of vulnerabilities that cybersecurity teams need to focus on. It also improves security far quicker because the riskiest weaknesses are resolved first.
Future cybersecurity strategies will continue to focus on risk. HDOs in particular would do well to emphasize that approach, as they often have little in the way of a cybersecurity budget. Given the focus on risk by accreditation organizations like TJC and DNV, an emphasis on risk internally would also help meet their guidance.
How Asimily Enables DNV’s Recommendations
DNV’s interpretive guidance implies a risk-based approach designed to ensure the long-term security and operational health of HDOs. Core components of long-term operational security are technologies that allow for risk-based software vulnerability prioritization as well as flexible incident response in the event of a security incident.
Guidance: Organizations are expected to address cybersecurity risks, including but not necessarily limited to, information technology systems, medical records, internet-connected and networked medical and facility equipment as well as equipment that can be accessed via external devices, such as USB drives.
Asimily recommends clinically-viable workarounds beyond segmentation and patching to mitigate vulnerabilities in cases where eliminating the vulnerability is not possible.
Through integration with other network and security tools, the Asimily platform supports providers with simple, targeted remediation options based on device context and other chosen parameters. It works with the systems like the CMMS and NACs that HDOs already have in place. When any malicious activity is detected, Asimily assists with blocking or quarantining the device on the network. Depending on provider preference, threat response actions can be initiated automatically or carried out by the provider under Asimily’s guidance.
Guidance: Conduct a hazard vulnerability analysis to identify potential emergencies or other circumstances that may impact the hospital and the community, including cybersecurity issues.
The Asimily platform empowers organizations to perform a comprehensive vulnerability analysis on any HDO system. It’s designed to illuminate weaknesses in internet-connected or network-accessible devices, while also giving cybersecurity teams the tools to adopt a risk-based approach to vulnerability management.
This is especially vital because medical devices can and do behave differently than traditional endpoints and servers. With the Asimily platform, HDOs can perform a vulnerability analysis for any weaknesses specific to the healthcare ecosystem and ensure continuity of care.
Guidance: The organization shall maintain documentation that this analysis has been conducted and that the organization has prioritized activities to address and prepare for these vulnerabilities.
Asimily’s Security Summary Report includes risk heatmaps for executives and directors to better understand their current risk profile. Our security summaries also serve as documentation for prioritizing activities, allowing CISOs and cybersecurity teams to show their work and provide guidance back to regulators and accreditation organizations about their risk-mitigation activities.
As more accreditation organizations like DNV take the stance of providing specific guidance around cybersecurity, it’s critical for HDOs to adopt practices and procedures that reflect a new risk-based approach. Solutions like the Asimily platform that are built with healthcare in mind are a boon to these efforts. With solutions dedicated to healthcare security, built on the same frameworks that HDOs need to follow, Asimily customers can be confident in their adherence to accreditation standards now and in the future.
To learn more about the Asimily risk remediation platform, download our Total Cost of Ownership Analysis on Connected Device Cybersecurity Risk whitepaper or contact us today.