Cybersecurity 

Topic Brief

This topic brief provides definition of information security and cybersecurity and reasons why information security and cybersecurity matter so that healthcare organizations can understand the impact information security and cybersecurity have on the delivery of care. Patient information is a very valuable asset which needs to be protected by physical and electronic means.  Here are some terms that are commonly used in the cybersecurity realm.  

 

Breach to Cybersecurity

Breach: An impermissible or unauthorized use or disclosure of information or data.  Requirements may exist at the state, local, Federal, or other levels. , including, but not limited to, HIPAA requirements.

 

Clear text: Text which has not been encrypted which a human can read. 

 

Confidentiality: Confidentiality refers to information being kept confidential (i.e., private). Consistent with the HIPAA Privacy Rule, protected health information may be used or disclosed as permitted or required under certain circumstances. Other confidentiality laws and regulations may apply, depending upon the jurisdiction and other factors. From a broad perspective, examples of measures taken to keep information confidential include, but are not limited to, the following:

  • Physical safeguard: A physical lock on a file drawer which contains protected health information (whether in hardcopy, film, electronic media, or another format).
  • Technical safeguard: Information which is encrypted, if such information is in electronic form.
  • Administrative safeguard: Having a policy and training staff on disclosing the “minimum necessary” amount of information concerning a patient.  

 
Credential stealing malware: Malware which steals usernames, passwords, and other credentials used to access a protected computer system or device.  

 

Cybersecurity: The ability to protect or defend the use of cyberspace from cyberattacks. Additionally, cybersecurity is a subset of information security, albeit concerning cyberspace (i.e., the realm of electronic information). In healthcare, information which is relevant or necessary to the delivery of care exists virtually everywhere. As a result, this information must be protected and defended from compromises such as cyber attacks, data leakage, breaches, and the like. In particular, the confidentiality, integrity, and availability of information must be protected. The HIPAA Security Rule requires covered entities and business associates to protect the confidentiality, integrity, and availability of information with the following safeguards:

  • Physical
  • Administrative
  • Technical
     
Resources

Breach: HIPAA Breach Notification Rule:  An overview of the HIPAA Breach Notification Rule, which requires HIPAA covered entities and their business associates to provide notification following a breach of unsecured protected health information.


Clear text: Information Technology Laboratory Computer Security Resource Center Glossary: This NIST-maintained glossary provides information and associated source material on computer security terms


Confidentiality: HIPAA Security Series #3: Security Standards-Physical Safeguards: These HIPAA security series papers, from Centers for Medicare & Medicaid Services (CMS), are designed to give HIPAA covered entities insight into the Security Rule, and assistance with implementation of the security standards. This series aims to explain specific requirements, the thought process behind those requirements, and possible ways to address the provisions.


Credentialing stealing malware: United States Computer Emergency Readiness Team (US-CERT) Malware Overview-Dridex P2P-The Department of Homeland Security’s US-CERT division provides a description of the Dridex P2P malware, its impact, and mitigation solutions


Cybersecurity: NIST Cybersecurity Framework: This framework focuses on using business drivers to guide cybersecurity activities and considering cybersecurity risks as part of the organization’s risk management processes. 

Denial of Service to Hazard

Denial of service: An attack which is intended to make a machine, network, and/or service inaccessible. 

 

Encrypted text: The use of an algorithmic process to transform data into a form in which there is a low probability of assigning meaning without use of a confidential process or key.  

 

Exploit: Code or other information which may be used to take advantage of a vulnerability to achieve a desired end.  

 

Hacktivist: A person who hacks for political, ideological, or sociological reasons.  Essentially, a hacker who is an activist.  

 

Hazard: A source of potential danger or adverse condition.  Hazards may be natural (e.g., floods, fire, etc.) or manmade (e.g., technological accidents or attacks).  

Resources

Denial of service: United States Computer Emergency Readiness Team (US-CERT) Security Tip-Understanding Denial-of-Services Attacks-The Department of Homeland Security’s US-CERT division provides an overview of DoS attacks, including some mitigation strategies


Encrypted text: Guide to Storage Encryption Technologies for End User Devices: This NIST-produced whitepaper is designed to assist organizations in understanding storage encryption technologies
for end user devices and in planning, implementing, and maintaining storage encryption solutions.


Exploit: National Vulnerability Database:  This NIST-maintained database is the U.S. government repository of standards based vulnerability management data represented using the Security Content Automation Protocol (SCAP). This data enables automation of vulnerability management, security measurement, and compliance. The NVD includes databases of security checklist references, security related software flaws, misconfigurations, product names, and impact metrics.


Hacktivist: Hacktivist vs. Cyberterrorist-Understanding the 5 enemies of healthcare IT security: This Healthcare IT News article from 2016 provides an overview of a Institute of Critical Infrastructure Technology (ICIT) report, which describes how cyber attackers can be categorized according to their target, tactics, techniques, malware and procedures.
    

Hazard: Federal Emergency Management Agency (FEMA) Hazard Mitigation Planning:  This page introduces hazard mitigation planning and describes the benefits of this activity. The intended audience is state, tribal, and local officials and members of the public interested in hazard mitigation planning.

 

Incident to Physical Security

Incident: The attempted or successful unauthorized access, use, disclosure, modification, or destruction of information or interference with system operations in an information system. 

 

Information Security: The protection of information and information systems from unauthorized access, use, disclosure, disruption, modification, or destruction in order to provide confidentiality, integrity, and availability.

 

Integrity: Integrity refers to ensuring that no intentional or unintentional modification of information has occurred. Consistent with the HIPAA Security Rule, electronic protected health information must have integrity. 

 

Malicious software (malware): A program or set of instructions which is intended to adversely affect or otherwise compromise a computer system or device.  

 

Nation state actor: A person who is working for a government or nation state.  The end goal may be espionage, blackmail, theft, or otherwise. 

 

Non-state actor: A person who is working for a non-state organization (e.g., a criminal or other organization).  

 

Physical security: Protection of physical assets, infrastructure, and people.  

Resources

Incident: HIPAA for Professionals FAQ-What does the Security Rule require a covered entity to do to comply with the Security Incidents Procedures standard?: This FAQ from the Department of Health and Human Services provides important information on security incident reporting.


Information Security: The NIST Computer Security Resource Center (CSRC): This center facilitates broad sharing of information security tools and practices, provides a resource for information security standards and guidelines, and identifies key security web resources to support users in industry, government, and academia.


Integrity: HIPAA Security Series #4: Security Standards-Technical Safeguards: These HIPAA security series papers, from Centers for Medicare & Medicaid Services (CMS), are designed to give HIPAA covered entities insight into the Security Rule, and assistance with implementation of the security standards. This series aims to explain specific requirements, the thought process behind those requirements, and possible ways to address the provisions.


Malicious software (malware): Protect Your Computer from Malware:  This video from the Federal Trade Commision provides information on how to avoid, detect and get rid of viruses and spyware from a computer 


Nation state actor:  “The FBI’s Approach to the Cyber Threat”: The transcript of this August 2016 speech from the Symantec Government Symposium provides a look at how the FBI is responding to the increasing in cyber threats.


Non-state actor:  Data Manipulation, Non-State Actor Intrusions are Coming Cyber Threats-This article from the U.S Department of Defense DoD News explores the insights of Navy Admiral Mike Rogers, director of the National Security Agency, on the coming non-state actor intrusion threats global computer networks face.


Physical security: HIPAA Security Series #3: Security Standards-Physical Safeguards: These HIPAA security series papers, from Centers for Medicare & Medicaid Services (CMS), are designed to give HIPAA covered entities insight into the Security Rule, and assistance with implementation of the security standards. This series aims to explain specific requirements, the thought process behind those requirements, and possible ways to address the provisions.

Ransomware to Vulnerability

Ransomware: A type of malicious software that infects a computer system or device and restricts or blocks users’ access to it, warning users that data will not be decrypted unless a ransom is paid. 

 

Risk: The potential for an unwanted outcome resulting from an incident, event, or occurrence, as determined by its likelihood and the associated consequences.  

 

Threat: Something which has the potential to harm life, information, operations, the environment and/or property.  A threat may be natural or manmade.  

 

Vulnerability: A weakness in software, hardware, device, program, or other component.  A vulnerability may or may not be exploitable.  
 

Resources


Ransomware:  Incidents of Ransomware on the Rise: This April 2016 article from the News section of the FBI’s website describes the state of ransomware at the time of its publication and some information on how individuals and organizations can protect themselves.

 

Risk: HIMSS Health Privacy & Security Risk Assessment:  The HIMSS Risk Assessment Toolkit guides healthcare organizations through the security risk analysis and risk management process.  The toolkit provides resources to help organizations understand risk assessments, including a step-by-step Security Risk Assessment Guide/Data Collection Matrix.


Threat: Department of Homeland Security’s Risk Lexicon:  The DHS Risk Lexicon is a common, unambiguous set of official terms and definitions aimed to ease and improve the communication of risk-related issues by facilitating the clear exchange of structured and unstructured data that is essential to the exchange of ideas and information amongst risk practitioners.

 

VulnerabilityNational Vulnerability Database:  This NIST-maintained database is the U.S. government repository of standards based vulnerability management data represented using the Security Content Automation Protocol (SCAP). This data enables automation of vulnerability management, security measurement, and compliance. The NVD includes databases of security checklist references, security related software flaws, misconfigurations, product names, and impact metrics.