Cybersecurity Practices at Medium-Sized Health Care Organizations

Medium-sized health care organizations perform critical functions for the health care and public health (HPH) sector. These organizations include critical access hospitals in rural areas, practice management organizations that support physician practices, revenue cycle or billing organizations, mid-sized device manufacturers, and group practices. Medium-sized health care organizations generally employ hundreds of personnel, maintain between hundreds and a few thousand information technology (IT) assets, and may be primary partners with and liaisons between small and large health care organizations. It is typical for a medium-sized organization to have several critical systems that are interconnected to enable work activities in support of the organization’s mission.

These organizations tend to have a diverse inventory of assets that support multiple revenue streams. They also tend to have narrow profit margins, limited resources, and limited flexibility to implement robust cybersecurity practices. For example, it is rare for a medium-sized organization to have its own dedicated 24x7x365 security operations center (SOC).

Medium-sized organizations tend to focus on preventing cybersecurity events, implementing rigid security policies, with few exceptions permitted. This rigidity is often due to insufficient resources to support more open and flexible cybersecurity models, such as those larger organizations can often afford. Medium-sized organizations usually struggle to obtain cybersecurity funding that is distinct from their standard IT budgets. The top security professional in an organization of this size might often feel overwhelmed by compliance and cybersecurity duties, wear multiple hats, and experience constraints around execution plans.

Medium-sized organizations operate in complex legal and regulatory environments that include but are not limited to the following:

• The Office of the National Coordinator for Health Information Technology (ONC) regulations for interoperability of Certified Electronic Health Information Technology
• The Medicare Access and Children’s Health Insurance Program Reauthorization Act of 2015 (MACRA)/Meaningful Use
• Multiple enforcement obligations under the Food and Drug Administration (FDA)
• The Joint Commission accreditation processes
• The Health Insurance Portability and Accountability Act (HIPAA)/Health Information Technology Economic and Clinical Health Act (HITECH) requirements
• The Payment Card Industry Data Security Standard (PCI-DSS)
• Substance Abuse and Mental Health Services Administration (SAMHSA) requirements
• The Gramm-Leach-Bliley Act for financial processing
• The Stark Law as it relates to providing services to affiliated organizations
• The Family Educational Rights and Privacy Act (FERPA) for those institutions participating within Higher Education
• The Genetic Information Nondiscrimination Act (GINA)
• The new General Data Protection Regulation (GDPR) in the European Union

IT Assets Used by Medium-Sized Organizations

Medium-sized organizations may have up to a few thousand IT assets, with a mix of dozens to a hundred information systems. All assets may have cybersecurity vulnerabilities and are susceptible to cyber threats. There are three important factors in securing assets: (1) understanding their relationship within the organization’s IT ecosystem; (2) understanding how the workforce leverages and uses the assets; and (3) understanding the data that are generated, stored, and processed within those assets.

Not all assets are equally important; some are mission critical and must always be fully operational, while others are less critical, and might even be offline for days or weeks without harming the organization’s mission. Some assets have large repositories of sensitive data that represent significant risk, but are not as critical to the enterprise’s business. In all cases, the organization uses IT assets for business reasons and should protect those assets with proper cyber hygiene controls.

Examples of assets found in medium-sized organizations include but are not limited to the following:

• Static devices used by the workforce, such as shared workstations, and clinical workstations used strictly for patient care with select mobile devices, such as laptops and smartphones. Medium-sized organizations may not maintain many mobile devices, owing to budget restrictions.
• Internet of things (IoT) devices, such as smart televisions and medical devices, printers, copiers, and security cameras.
• Data that includes sensitive health information stored and processed on devices, servers, applications, and the cloud. These data include names, medical record numbers, birth dates, social security numbers (SSNs), diagnostic conditions, prescriptions, and mental health, substance abuse, or sexually transmitted infection information. These sensitive data are referred to as protected health information (PHI) under HIPAA.
• Assets related to the IT infrastructure, such as firewalls, network switches and routers, Wi-Fi networks (both corporate and guest), servers supporting IT management systems, and file storage systems (cloud-based or onsite).
• Applications or information systems that support the business processes. These may include human resource (HR) or enterprise resource planning (ERP) systems, pathology lab systems, blood bank systems, medical imaging systems, pharmacy systems, revenue cycle systems, supply chain or materials management systems, specialized oncology therapy systems, radiation oncology treatment systems, and data warehouses (e.g., clinical, financial).

Personal devices, often referred to as bring your own device (BYOD), are generally not permitted in medium-sized organizations due to the organizations’ inability to implement dedicated security controls required to secure such devices.

Cybersecurity Practices

Medium-sized organizations should consider, at minimum, implementing the Sub-Practices for Medium- Sized Organizations discussed in each cybersecurity practice presented in this volume. However, medium-sized organizations may additionally adopt the cybersecurity practices used by large organizations. Indeed, organizations should consider adopting any cybersecurity practice determined to be relevant.