How to Reduce Cybersecurity Risks to Your Health Care Facility with NERC CIP Compliance

How to Reduce Cybersecurity Risks to Your Health Care Facility with NERC CIP Compliance | HealthSoul

The healthcare industry has adopted technology to achieve several goals. These include connecting systems, enhancing data analytics, and enabling real-time communication. Telehealth, Electronic Health Records (EHRs), wireless medical devices, and internet-connected equipment have become integral components of modern healthcare delivery.

But, increased connectivity also widens the attack surface for cyber threats. Healthcare organizations are now lucrative targets for ransomware, data breaches, and cyber-attacks. The impact of such events can directly affect patient safety and care delivery.

According to the National Library of Medicine, over 500 healthcare data breaches occurred in the US between 2009 and 2019. This resulted in the compromising of over 187 million patient records. The NIH emphasizes the criticality of cybersecurity readiness in the healthcare sector given the sensitivity of patient data. This article will guide you on how to reduce cybersecurity risks to your healthcare facility with NERC CIP compliance. 

Understanding NERC’s Critical Infrastructure Protection (CIP) Standards 

NERC develops and enforces mandatory standards to ensure the reliability and security of North America’s bulk electric systems. NERC CIP compliance standards provide cybersecurity guidelines tailored for electric utilities to safeguard their critical assets.

These industry-driven standards have evolved over time. They adapt to the changing threat landscape, emphasizing performance, risk management, detection, response, and enhancing entity capabilities. NERC adheres to an ANSI-accredited standard development process. They engage with the industry to reach a consensus while also balancing stakeholder interests.

Some examples of NERC CIP domains include: 

  • Asset identification and management
  • Cybersecurity awareness
  • Incident response
  • Access control
  • Data protection 
  • Recovery plans
  • Supply chain risk management

Together these set a stringent security baseline that utilities must comply with. NERC conducts regular audits and enforces penalties for violations. These can include significant fines.

While CIP standards were originally developed for electric utilities, they encapsulate cybersecurity best practices that can be adapted by healthcare organizations as well to assess and harden their defenses. The focus on risk management, detection, and recovery is extremely relevant in the context of healthcare delivery.

The Hidden Threat of Supply Chain Vulnerabilities 

The COVID-19 pandemic exposed the fragile nature of healthcare supply chains. Shortages of PPE, critical medical supplies, and medications highlighted systemic vulnerabilities that threaten patient care continuity.

The American Hospital Association states that healthcare leaders have a new focus. They are prioritizing supply chain strengthening. This includes forming partnerships with nearshore suppliers. They’re also implementing bidirectional transparency measures. Furthermore, they’re reevaluating inventory management and crafting contingency plans.

Supply chain cyber hygiene is equally important. The Solarwinds and Kaseya attacks revealed how a single compromised vendor can unleash malware across many downstream customers. Unchecked supplier access and lack of visibility into third-party cyber practices undermine healthcare delivery organizations. 

Implementing NERC CIP Standards in Healthcare Facilities

NERC CIP provides a framework based on the Reliability Functional Model which defines the essential functions for bulk electric system operations. This model can be adapted to improve cybersecurity in healthcare as well.

Here are some steps healthcare facilities can take to align with NERC CIP:

  • Conduct Audits: Assess current security policies, procedures, and technologies against NERC CIP requirements to identify gaps.
  • Perform Risk Assessments: Identify critical assets, vulnerabilities, and threats – consider interconnected systems, legacy equipment, and supply chain risks. 
  • Develop Plans: Create roadmaps to close security gaps leveraging NERC CIP standards as a blueprint, and secure leadership buy-in and budget.
  • Implement Controls: Deploy access controls, encryption, network segregation, and malware prevention based on asset criticality and risk appetite. 
  • Ensure Compliance: Establish procedures for continuous compliance, change control, and cyber practice reviews to account for evolving threats.

Best Practices for Managing Supply Chain Risks

Healthcare facilities face immense exposure through vulnerabilities in their supply chains. Suppliers, vendors, contractors, and other third parties can provide an open door for cybercriminals to gain access to sensitive systems and data. By implementing best practices around supply chain security, healthcare organizations can substantially reduce this risk exposure.

1. Careful Vendor Selection with Due Diligence

Thoroughly vet all potential vendors and suppliers through extensive due diligence including:

  • On-site cybersecurity assessments and penetration testing to evaluate defenses.
  • Review of past audits, breaches, and remediation efforts.
  • Verification of compliance with healthcare cybersecurity frameworks.
  • Checking if cyber insurance coverage is in place.

This avoids onboarding third parties with poor security postures.

2. Enforcing Least Privilege Access

Manage vendor access via strict, limited privileges and robust monitoring such as:

  • Just-in-time, temporary credentials that expire quickly.
  • Monitoring all sessions to detect unusual activity.
  • Prompt deprovisioning of access after work is completed.

This contains potential damage from compromised credentials.

3. Requiring Vendor Cyber Insurance

Mandate all third parties carry adequate cyber insurance to guarantee financial resources to assist with breach response, remediation, settlements, and losses.

4. Performing Ongoing Supply Chain Monitoring

Use practices like asset management, data classification, and inventory monitoring to continually evaluate risks from suppliers:

  • Classify data and map flows to suppliers to identify critical access points.
  • Maintain asset inventories of supplier-managed resources.
  • Assess configurations for unmanaged changes.
  • Staying Vigilant Reduces Blind Spots.

Healthcare organizations can address supply chain cyber risks and safeguard their environment by implementing multiple measures. These include enhanced due diligence, privileged access protections, cyber insurance coverage, and ongoing monitoring.

The Ripple Effect of NERC CIP Compliance 

Adopting the NERC CIP framework enhances the overall cybersecurity posture of healthcare delivery organizations in multiple ways:

1. Strengthens cyber defense capabilities proactively rather than reactively responding to threats.

2. Boosts patient trust and brand reputation by signaling cyber readiness to stakeholders.

3. Inculcates an organizational culture of collective responsibility towards cybersecurity. 

4. Prepares healthcare facilities for emerging threats from bad actors and evolving attack techniques.

5. Fulfills compliance obligations related to HIPAA security rules and other healthcare security regulations.

Key Takeaways

Cyber threats targeting healthcare organizations are rising exponentially. Having a proactive security stance is crucial. It ensures quality care and patient safety. The NERC CIP standards offer a solid blueprint for strengthening cyber defenses. It’s important to tailor them to the specific risks in healthcare delivery.

Investing in compliance and supply chain risk management creates a resilient cyber foundation for meeting future challenges.

Frequently Asked Questions

1. How does NERC CIP compliance differ for healthcare organizations compared to electric utilities?

Healthcare organizations have fewer mandatory CIP cybersecurity regulations than electric utilities which are deemed critical infrastructure. However, healthcare leaders recognize the merits of voluntarily utilizing NERC CIP frameworks to strengthen defenses.

2. What are the potential consequences of non-compliance with NERC CIP standards for healthcare providers? 

Although NERC CIP is mandatory for utilities, non-compliance can have serious repercussions for healthcare entities as well including data breaches, ransomware attacks, regulatory penalties, and loss of patient trust.

3. How can healthcare organizations ensure continuous compliance as NERC CIP standards evolve?

They can develop internal protocols for tracking NERC CIP version updates, perform gap assessments, secure leadership support, implement controls, monitor compliance, and participate in NERC outreach programs.