New HC3 report defines security assessments needed for healthcare organizations during and after COVID-19

Rich Curtiss, Director, Healthcare Cyber Risk Services, Coalfire

The Health Sector Cybersecurity Coordination Center (HC3) recently delivered a report that defines and articulates the security assessments and information technology audits that should be considered during and after the COVID-19 pandemic.

According to the report, COVID-19 has required an increased need to collect and share information between providers, patients, hospitals, vendors and other organizations. This has led to an uptick in malicious cyber campaigns that are targeting healthcare facilities across the United States and United Kingdom.

HC3 emphasizes the necessity and importance of conducting ‘Security Assessments in Care Settings’ and defines the steps that should be taken including:

  • Create a core assessment team
  • Review existing security policies
  • Create a database of IT assets
  • Understand threats and vulnerabilities
  • Estimate the impact
  • Determine the likelihood
  • Plan the controls

Additional security measures include:

  • Cyberattack simulation tests
  • Security scanning
  • Vulnerability scanning
  • Ensure supplier compliance
  • Proper Business Associate Agreements
  • Penetration testing

Information technology (IT) auditing in a healthcare environment is used to identify gaps and expose issues with the controls in current security systems, allowing organizations to address them before a cybercriminal takes advantage of system weaknesses. IT auditing will ensure compliance gaps or deficiencies are identified and recommendations for mitigating and resolving the compliance deficiencies are defined.

A final post-COVID-19 U.S. Department of Health and Human Services (HHS) recommendation concludes that when the pandemic normalizes, healthcare providers should conduct a thorough security assessment to identify and mitigate the new threat vectors and vulnerabilities introduced during the COVID-19 pandemic.

Fundamentally, the HC3 report follows the HIPAA Security Rule implementation specifications for:

  • Risk Analysis – 45 CFR § 164.308(a)(1)(ii)(A) {Security Assessment}
  • Risk Management - 45 CFR § 164.308(a)(1)(ii)(B) {Security Assessment}
  • Technical Evaluation – 45 CFR § 164.308(a)(8) {Vulnerability Analysis and Penetration Testing}
  • Non-Technical Evaluation - 45 CFR §164.308(a)(8) {IT Auditing}

The items noted in brackets above use the terminology applied in the HC3 report for an easy cross-reference to the HIPAA Security Rule.

The importance of the HC3 report and recommendations is the fact that threat vectors have changed due to COVID-19. The extended use of telehealth, and Office for Civil Rights (OCR) HIPAA enforcement discretion, has introduced temporarily-approved service platforms such as Zoom, Facetime, Facebook Messenger, etc. that may not meet HIPAA requirements and would need to be assessed for risks following the termination of the OCR action. The quarantine has introduced a massive work-from-home business continuity model which, in all probability, has not been considered in business continuity and disaster recovery planning.

When the pandemic subsides and the OCR rescinds enforcement discretion, organizations should make sure they follow the HHS recommendation to conduct a thorough security assessment of potential new threat vectors that may have been introduced by COVID-19.

Coalfire is here to help with these services:

Rich Curtiss


Rich Curtiss — Director, Healthcare Cyber Risk Services, Coalfire

Recent Posts

Post Topics



Accounting Agency AICPA Assessment assessments ASV audit AWS AWS Certified Cloud Practitioner AWS Certs AWS Summit Azure bitcoin Black Hat Black Hat 2017 blockchain Blueborne Breach BSides BSidesLV Burp BYOD California Consumer Privacy Act careers CCPA Chertoff CISO cloud CMMC CoalfireOne Compliance Covid-19 CPRA credit cards C-Store Culture Cyber cyber attacks Cyber Engineering cyber incident Cyber Risk cyber threats cyberchrime cyberinsurance cybersecurity danger Dangers Data DDoS DevOps DevSecOps DFARS DFARS 7012 diacap diarmf Digital Forensics DoD DRG DSS e-banking Education encryption engineering ePHI Equifax Europe EU-US Privacy Shield federal FedRAMP financial services FISMA Foglight forensics Gartner Report GDPR Google Cloud NEXT '18 government GRC hack hacker hacking Halloween Health Healthcare heartbleed Higher Education HIMSS HIPAA HITECH HITRUST HITRUST CSF Horror Incident Response interview IoT ISO IT JAB JSON keylogging Kubernetes Vulnerability labs LAN law firms leadership legal legislation merchant mobile NESA News NH-ISAC NIST NIST 800-171 NIST SP 800-171 NotPetya NRF NYCCR O365 OCR of P2PE PA DSS PA-DSS password passwords Payments PCI PCI DSS penetration Penetration Testing pentesting Petya/NotPetya PHI Phishing Phising policy POODLE PowerShell Presidential Executive Order Privacy program Ransomware Retail RISE Risk RSA RSA 2019 Safe Harbor Scanning Scans scary security security. SOC SOC 2 social social engineering Spectre Splunk Spooky Spraying Attack SSAE State Stories Story test Testing theft Virtualization Visa vulnerability Vulnerability management web Wifi women XSS