The purpose of this information is intended to provide a level of direction and guidance -- defined as Basic, Intermediate and Mature -- around the topic of cybersecurity protections as defined by 23 control categories.

The following is a series of definitions for each of the categories:

Email Protection Systems -- Email protection is a set of activities that address the various aspects of managing the security for an organization’s email system.  It is a culmination of processes, actions, or methodologies which an organization uses to protect business email.  The goal is to create effective security processes, train users to securely handle email, and ensure bad actors can’t use email as a jumping off point for access into a company’s network.

Endpoint Protection Systems -- An endpoint for organizations are those computer devices directly utilized by a user.  Normally this can be a workstation, a laptop, or some type of terminal device allowing a user to enter information into a computer system.  This is also one of the first points of attack bad actors focus on in trying to gain access into a healthcare organization’s computer network.

Identity and Access Management -- is a framework of policies and technologies to ensure that the right users have the appropriate access to technology resources like systems and application that align with their job duties. The Identity and Access Management responsibilities include the oversight of all provisioning and deprovisioning of user accounts, Single-Sign On, two-factor authentication, privileged access management and any other activities through-out the lifecycle of the user account.

Data Protection and Loss Prevention -- is a set of solutions, strategies, technologies, and techniques that ensure end-users do not transmit sensitive data outside of an organization. This is done by tracking data movement as it moves through and out of the organization and by enforcing disclosure policies to prevent unauthorized disclosure of data. Software solutions can be implemented to prevent data loss, whether it is network, endpoint, or cloud.

IT Asset Management – is to assess how the organization manages IT assets throughout its lifecycle. It helps you know what hardware and software you have. Gives you the ability to track detailed information on the assets like software version and purchase date. This detail helps you make informed decisions as time goes along, like forecasting the life cycle of your hardware or allowing you to act faster in response to security alerts so you can know the location, what version of software you are running, and if the system is vulnerable. IT Asset Management also includes initial provisioning of assets, tracking and management, integration with enterprise processes, and decommissioning / disposal processes. The scope of management consists of a variety of technology assets provisioned and managed by IT (e.g., servers, workstations, mobile devices, end-user devices, IoT devices, etc.).

Network Management -- is the set of activities, procedures, processes, tools, and roles associated with protecting the organization’s network.  The goal in any secure organization is to create a strong and secure network minimizing risk to the organization while also not significantly impeding operations.

Vulnerability Management -- is the practice of managing the exploitation of IT vulnerabilities and involves the identification and mitigation of known vulnerabilities as well as prioritization based on risk.  Vulnerability management should also include preparing for unknown vulnerabilities as well as risk mitigations for threats and vulnerabilities associated with your organization.

Incident Response – is a set of activities that address the short-term, direct effects of an incident and may also support short-term recovery.  In other words, this is a culmination of processes, actions, or methodologies which an organization uses to respond to any cyber event.  The goal is to create an efficient and referenceable document or documents that is aimed at minimizing impact, maximizing recovery, and create a culture of preparedness.

Medical Device Security -- Per Section 201(h) of the Food, Drug, and Cosmetic Act, a medical device is defined as an instrument, apparatus, implement, machine, contrivance, implant, in vitro reagent, or other similar or related article, including a component part, or accessory which is:  recognized in the official National Formulary, or the United States Pharmacopoeia, or any supplement to them, intended for use in the diagnosis of disease or other conditions, or in the cure, mitigation, treatment, or prevention of disease, in man or other animals, or intended to affect the structure or any function of the body of man or other animals, and which does not achieve its primary intended purposes through chemical action within or on the body of man or other animals and which does not achieve its primary intended purposes through chemical action within or on the body of man or other animals and which is not dependent upon being metabolized for the achievement of its primary intended purposes. The term "device" does not include software functions excluded pursuant to section 520(o).  Medical devices serve a critical role in the treatment and prevention of disease and are constantly evolving to become more integrated and effective. Often that means that these devices become networked or accessible via WiFi protocols.  These devices should be treated with just as much, or more, care than endpoints as they often have unique restrictions for updating software, implementation, or administration.  Being aware of how to manage these devices securely relies on process, controls, and strong vendor relationships.

Cybersecurity Oversight and Governance -- are an important, and often overlooked, aspect of a well-rounded cyber security posture.  Policies help define the measures you have in place to detect and minimize threats, management of critical processes, best practices regarding what employees should and should not do, and roles and responsibilities for members of the organization.  As a healthcare organization, they are also a requirement to have as part of your HIPAA requirements.  Below are some recommendations to get started, however, this is not a complete list of policies but instead a foundational list to get started.

Penetration Testing -- A method of testing where testers target individual binary components or the application as a whole to determine whether intra or intercomponent vulnerabilities can be exploited to compromise the application, its data, or its environment resources.

Social Engineering -- is the tactic of manipulating, influencing, or deceiving a victim in order to gain control over a computer system, or to steal personal and financial information. It uses psychological manipulation to trick users into making security mistakes or giving away sensitive information.

Risk Assessments -- Cybersecurity risk assessments assist healthcare providers and hospitals in understanding the cyber risks to their operations (e.g., mission, functions, critical service, image, reputation), organizational assets, and individuals.

Vendor Risk Assessments -- A vendor risk assessment (VRA), also known as a vendor risk review, is the process of identifying and evaluating potential risks or hazards associated with a vendor's operations and products and its potential impact on your organization.

Artificial Intelligence (AI) -- is the simulation of human intelligence processes by machines, especially computer systems. Specific applications of AI include expert systems, natural language processing, speech recognition and machine vision.

Cyber Insurance -- Cyber liability insurance is an insurance policy that provides businesses with a combination of coverage options to help protect the company from data breaches and other cyber security issues.

Business Impact Analysis -- A business impact analysis (BIA) predicts the consequences of a disruption to your business, and gathers information needed to develop recovery strategies.

Tracking Technologies -- are technologies used to collect information about users and their activities on a website. Examples of tracking technologies include cookies, web beacons, and embedded scripts.

Password Management/Password Storage -- Proactively implementing policies involving password management and the proper storage of passwords are effective solutions for helping to mitigate cybersecurity risks and protect sensitive and proprietary information.

Payroll Reset and Multifactor Device Change Callbacks -- By requiring all users to store contact numbers in a central system, it helps ensure team members' information is kept up to date. In doing so, it helps reduce the risk of account takeovers and provides additional security for users and their accounts.

Payroll and ACH Change Callbacks -- Developing a strong callback for payroll and ACH changes reminds employees to authenticate a request before sending funds. By training employees to recognize potential schemes and validate suspicious activity, such as new bank account numbers for a known vendor, it can help in stopping fraud.

Wire and Supply Chain Verifications -- Requires trusted contacts and callback numbers for all wire transfers and vendor information changes. It also allows for processes to be developed and implemented to regularly check for and update vendor information.

Endpoint Privilege Management and Temporary Admin Access -- enables the development of processes to allow service desk or power users to temporarily grant access to users to perform small administrative tasks. It can also help leverage device management software installation capabilities and/or utilize an endpoint management tool to grant some administrative access to users with business needs.