HHS Publishes New Resources for Improving Healthcare Cybersecurity
The Health Sector Coordinating Council Cybersecurity Working Group and the HHS 405(d) Program have published three additional resources for the healthcare sector to help them manage cybersecurity risks. Hacking incidents at healthcare organizations have increased sharply in recent years and data breaches are being reported at extremely high levels. For the past two years, around 700 large data breaches have been reported by HIPAA-regulated entities and tens of millions of patients and health plan members have had their personal and health information compromised. It is vital for healthcare organizations to stay current and responsive to evolving cyber threats and ensure they continually monitor, test, and improve their defenses to prevent unauthorized individuals from gaining access to their networks. Cybersecurity is not only a technical issue, but also a patient safety issue, and cyberattacks are one of the biggest threats faced by the healthcare system in the United States.
The new resources are a 2023 update to the Health Industry Cybersecurity Practices (HCIP). HCIP was first published in 2018 and includes a set of voluntary, consensus-based cybersecurity guidelines and best practices, which were developed in consultation with more than 150 cybersecurity experts. HCIP provides cost-effective ways to improve security for healthcare organizations of all sizes and is divided into volumes for small and medium/large healthcare organizations.
The updated HCIP is accompanied by a new online educational platform called Knowledge on Demand, which is a free resource that provides cybersecurity training for health and public health organizations to improve the cybersecurity awareness of their workforces. The training material covers five of the most common and serious cyber threats: social engineering/phishing, ransomware, loss/theft of equipment and data, accidental, intentional, and malicious data loss, and attacks against network-connected medical devices. Training the workforce to be aware of cyber threats specific to the healthcare sector is vital for improving resiliency.
The final resource – the Hospital Cyber Resiliency Initiative Landscape Analysis – is a report on the current state of cybersecurity at domestic hospitals and is an analysis of their preparedness, based on a review of participating hospitals against standard cybersecurity benchmarks such as the NIST Cybersecurity Framework.
The new resources can be accessed on the HHS website on this link.