Security chief touts the value of HICP, a cyber preparedness 'cookbook' with recipes for readiness

Erik Decker, chief security and privacy officer at University of Chicago Medicine, describes the value of HHS' Health Industry Cybersecurity Practices framework, which offers workable best practices for the management and mitigation of prevalent threats.
By Mike Miliard
02:31 PM

In December of 2018, the U.S. Department of Health and Human Services published a four-part document known as Health Industry Cybersecurity Practices: Managing Threats and Protecting Patients.

The document, known by the acronym HICP (and pronounced like the reflexive sound one might make after eating too quickly), offers extensive voluntary cybersecurity tips and best practices to help healthcare organizations – whatever size or shape they might be, and wherever they are with their security readiness – some tried-and-true advice and achievable steps to take to improve their posture.

As required by Cybersecurity Act of 2015, section 405(d), HICP was drafted to help hospitals and medical practices more cost-effectively mitigate their cybersecurity risks. It was a two-year effort, compiled by 150 healthcare and infosec experts, from the public and private sectors.

One of them was Erik Decker, chief security and privacy officer at University of Chicago Medicine, who served as industry co-lead on the project.

"We heard loud and clear through this process that providers need actionable and practical advice, tailored to their needs, to manage modern cyber threats," Decker explained upon HICP's publication in 2018. "That is exactly what this resource delivers; recommendations stratified by the size of the organization, written for both the clinician as well as the IT subject matter expert."

Helping bring the 'risk lens' into focus

Decker will be on one of the speakers next month at the HIMSS Healthcare Security Forum, which takes place in Boston, December 9-10.

At UCM – a $2 billion non-profit academic medical center with more than 16,000 employees across Chicago and northwest Indiana – Decker has his hands full. And at the security forum he'll offer his first-hand perspective on best practices for identity and access management, phishing prevention and more.

But he'll also offer some updates on HICP, which offers valuable insights into managing threats such as ransomware, insider risks and medical device security. And there are updates. Because, not unlike the U.S. Constitution, HICP is a living document, designed to change with changing times.

"There has been a continued push on the 405(d) effort," Decker explains. "We are creating new supporting materials to HICP, such as 'Read Me' guide, which is sort of a Cliff's Notes to HICP, as well as technical threat-to-practice mapping that will allow the technical people to understand which practice will actually have the most bang for the buck for a particular type of threat that they're managing around. That supplemental material is due by the end of this year, he said.

Beyond that, "we're also working on just updating HICP and keeping that fresh," he said. The aim, by 2020, is to be on a "two-year cycle, essentially, to make sure that it is current. Because things change."

For example, he said, "we've been discussing how we talk about the number one threat is phishing – but the task group is now saying perhaps we should change that to social engineering instead. Because it's more than just phishing. It's just one example of a social engineering attack. So we're kind of changing with the times a little bit: Email compromise, impostor attacks and those types of things, we really want to call that out in a document as well as very effective attack types."

Decker says the task group is also working on a "whole new set of materials" focused around cybersecurity as a component of enterprise risk management.

"How does cybersecurity fit into an organization's overarching ERM methodology? How do we embed that in there, how do you have discussions with the board? As with HICP, we're producing a set of tools and toolkits to help people along in that process.

"We want to be very practical and actionable," he explained. "We'll be working on the sort of the general risks that we feel as a task group that the industry faces when it comes to these issues in an ERM capacity. And we'll be delivering sample reports and means and methods on how to communicate with the board. And metrics, of course."

A project of that size is going to take some time, of course, given that it's planned to be "roughly the same size and scope of what building HICP was like nationally," said Decker. "So we're setting that for release in 2021."

In the meantime, healthcare organizations large and small should be availing themselves of the advice on offer in HICP, which was envisioned as a "cyber hygiene companion" to help security pros get a grip on some of the low-hanging fruit that would best position them for risk mitigation.

"I also refer to it as a cookbook: a series of recipes that will help you mitigate and manage the most prevalent threats we face in healthcare," said Decker.

"The 'what can you do today' advice is where HICP really shines," he explained. "It gets you out into the deep details pretty quickly and succinctly, to get tactical and do some blocking and tackling."

And then the next level up – which, not insignificantly, is also a requirement under HIPAA – is the risk management program. HICP can help organizations chart and strategize for risk analysis process and build a "centerpiece" risk management program to support it, he said.

"It's hard to do. But if you try to keep chase every single issue that pops up every single day you'll just be chasing tails all day long."

That's why a guide like HICP, compiled by a wide cross-section of healthcare and security professionals, put together with years of thought and deliberation about how to prioritize threat preparedness and response, is so valuable, said Decker.

"You've got to have a risk lens, and it's got to be risk centric. You've got to think about where are these threats actually coming from – Are they malicious or accidental? Inside or external? – and then use that develop the practices you're going to put into place. Because you can spend tons of money across the board on tons of stuff that might not actually be around the things you actually need to fix."

Twitter: @MikeMiliardHITN
Email the writer: mike.miliard@himssmedia.com

Healthcare IT News is a publication of HIMSS Media.

 Prepare for next-gen cybersecurity threats and join the #HITsecurity discussion at the HIMSS Healthcare Security Forum this Dec. 9-10 in Boston.