HHS Issues System Hardening Guidance for Healthcare Organizations

The HIPAA Security Rule requires covered entities and business associates to ensure the confidentiality, integrity, and availability of all electronic protected health information (ePHI) the organization handles. A key element of protecting ePHI is system hardening of all devices that store or process data, such as servers, virtual machines, smartphones, and computers.

System hardening is the process of securing a system by reducing its attack surface by removing unnecessary services, applying secure configurations, and enforcing strong security controls. To help healthcare organizations improve their HIPAA compliance and security posture, the Department of Health and Human Services (HHS) provided guidance on the following system hardening methods.

Patching Vulnerabilities

The HIPAA Security Rule requires regulated entities to assess the potential risks and vulnerabilities to ePHI, including unpatched software.

Regardless of the age of a device, organizations need to apply security patches that address known vulnerabilities as quickly as possible. Patches are also necessary for software such as electronic health records, databases, web servers, mobile applications, office and email software, and operating systems. Firmware, including network devices such as routers and firewalls, also need to have known vulnerabilities patched.

Steps healthcare organizations can take to ensure they stay up to date on necessary patches include:

• Signing up for vulnerability alerts from manufacturers and vendors.
• Participating in an information sharing and analysis center (ISAC) or information sharing and analysis organization (ISAO).
• Conducting scans to detect vulnerabilities, as well as missing patches and obsolete software.
• Monitoring authoritative sources for vulnerabilities such as NIST’s National Vulnerability Database and CISA’s Known Exploited Vulnerabilities Catalog.
• Maintain an up-to-date IT asset inventory to identify information systems that need to be hardened. The HHS Office of Civil Rights (OCR) previously published a cybersecurity newsletter on the benefits of creating and maintaining an IT asset inventory.

Patching vulnerabilities is not a one-time event, as new vulnerabilities will emerge in software and devices that have already been patched. A system hardening policy would include regular identification of needed patches.

Removing or Disabling Unneeded Software and Services

Desktop computers, laptops, and smartphones may include software that has never been used, but contains security vulnerabilities. Examples include games, messaging apps, social media, or utilities that the manufacturer may have installed. If the software isn’t needed or wanted, it’s best to uninstall or disable it. Most operating systems (Windows, MacOS, Android, iOS, Linux) allow users to view what software is installed and provide instructions for uninstalling.

When removing or disabling software, organizations need to be aware of any unintended consequences, such as adversely affecting the system’s stability, performance, or security posture. To determine how any changes could impact ePHI; test how removing or disabling software affects a system’s operation in a development or test environment before performing such actions on production systems.

Operating systems can also include unnecessary features or services that can create security risks. Organizations should consider removing pre-installed online gaming and social media software and disabling remote access and file transfer services such as RDP, telnet, and ftp that haven’t been vetted for security. If these features cannot be removed, they can usually be disabled using command-line tools running as the administrator or root user.

Some software may use generic or service accounts that are created during installation. These accounts may have the same permissions as a privileged user and may also be installed with default passwords that could be widely known, making them an easy target for attackers. Examples include products with administrators using the default password “admin” or guest accounts with a simple password or even no password at all. When default passwords are installed, organizations should change such passwords to stronger ones.

Enabling and Configuring Security Measures

Installing security safeguards is another key aspect of system hardening. This can include third-party solutions such as anti-malware, endpoint detection and response (EDR), or security information and event management solutions (SIEM).

Software and operating systems often come with technical safeguards, such as access controls, encryption, audit controls, and authentication. Here are some resources that can help organizations identify and apply security baselines:

• NIST SP 800-53 Security and Privacy Controls for Information Systems and Organizations
• Microsoft’s Security Baseline Guide (for Microsoft products)
• Department of Defense Security Technical Implementation Guides (STIGs)

Whichever path your organization takes to implement security baselines, it should align with HIPAA risk analysis and risk management processes to ensure ePHI security meets HIPAA standards.

CompliancePoint has a long history of helping healthcare organizations meet their cybersecurity, data privacy, and HIPAA compliance goals. Reach out to us at connect@compliance.com to learn more about our healthcare services.