AEHIS Guidance Lists Recommended Controls to Mitigate Cyberattack Risks
Zach Donisch, Director, Membership Services
On Jan. 2, the Health Information Sharing and Analysis Center issued a bulletin to alert the healthcare sector of possible retaliation by Iran after the commander of the Iranian Revolutionary Guard Corps was killed in a drone attack in Iraq. The bulletin noted that “(w)hile Iran has no history of directly targeting the healthcare sector, their targeted cyber operations have impacted healthcare organizations in the U.S. and abroad in prior incidents.”
AEHIS’ Incident Response Committee worked through the following weekend to research and write a guidance for healthcare information security and IT executives to help them mitigate the risk to their healthcare organizations if a cyberattack by a nation state occurs. AEHIS has made the guidance available to the public.
The guidance is not meant to serve as a comprehensive list of security controls. The authors recommend that hospitals and healthcare facilities that are not yet following industry best practices such as having a perimeter firewall, a spam filter or AV software first focus on bringing their organization up to the standard. Their guidance, “Healthcare Sector Preparations for the Threat of Nation State Sponsored Cyberattacks Against Critical infrastructure,” offers 17 recommended controls as a supplement to industry standards.
Recommendations like patching may serve as a reminder to stay up to date and take extra precautions to ensure all connected systems are properly patched for known vulnerabilities. They also suggest verifying disaster recovery and business continuity plans as well as backup systems to proactively identify and correct any problems in advance of a possible attack on critical infrastructure. The authors provide examples of deterrents, decoys, threat identification, malware detection and inventory management along with practices that can contain a breach and minimize damage.
CHIME and AEHIS thank the AEHIS Incident Response Committee for putting in many volunteer hours to help our sector better protect itself. We encourage members to review this resource and let their team members and colleagues know it is available for their use as well. The guidance is available on the AEHIS website at https://aehis.org/ciso-resources/or by clicking here.