The U.S. Department of Health and Human Services (HHS) 405(d) Program announced the release of several new resources aimed to help address cybersecurity concerns in the Healthcare and Public Health (HPH) Sector.

The new resources from the HHS include:

  • Knowledge on Demand – a new online educational platform that offers free cybersecurity trainings for health and public health organizations to improve cybersecurity awareness.
  • Health Industry Cybersecurity Practices (HICP) 2023 Edition – a foundational publication that aims to raise awareness of cybersecurity risks, provide best practices, and help the HPH Sector set standards in mitigating the most pertinent cybersecurity threats to the sector.
  • Hospital Cyber Resiliency Initiative Landscape Analysis – PDF – a report on domestic hospitals’ current state of cybersecurity preparedness, including a review of participating hospitals benchmarked against standard cybersecurity guidelines such as HICP 2023 and the National Institute of Standards and Technology Cybersecurity Framework (NIST CSF).

Further reading: Best Practices for Thwarting Medical Device Cyberattacks

Knowledge on Demand

The Knowledge on Demand platform marks the first time HHS has offered free cybersecurity training to the health sector workforce and reflects the department’s commitment to supporting the HPH Sector’s defense against cyberattacks, the HHS says.

This new Knowledge on Demand platform offers awareness training on five cybersecurity topics: social engineering, ransomware, loss or theft of equipment or data, insider accidental or malicious data loss, and attacks against network-connected medical devices.

“Cyberattacks are one of the biggest threats facing our health care system today, and the best defense is prevention,” says Deputy Secretary Andrea Palm. “These trainings will serve as an asset to any sized organization looking to train staff in basic cybersecurity awareness and are offered free of charge, ensuring that those hospitals and health care organizations most vulnerable to attack can take steps toward resilience. This is part of HHS’s continued commitment to working with hospitals, Congress, and industry leaders in protecting America’s patients.”

All available trainings include videos, job aids, and PowerPoints, which can be accessed and launched directly from the 405(d) website. The platform is also home to the newly updated Health Industry Cybersecurity Practices (HICP) 2023 Edition Publication.

Health Industry Cybersecurity Practices 2023 Edition

The HHS 405(d) Program was developed in response to the Cybersecurity Act of 2015.

Under Section 405(d), HHS convened the 405(d) Task Group to enhance cybersecurity and align industry approaches by developing a common set of voluntary, consensus-based, and industry-led cybersecurity guidelines, practices, methodologies, procedures, and processes that healthcare organizations can use. These are available in the program’s cornerstone publication HICP, which was published in 2018.

HICP 2023 has been updated by over 150 industry and federal professionals to include the most relevant and cost-effective ways to keep patients safe and mitigate the current cybersecurity threats that the HPH sector faces. This new edition of HICP includes a discussion of the dangerous threat of social engineering attacks as one of the top five threats facing the sector. These attacks are an attempt to trick someone into revealing information (e.g., a password) that can be used to attack systems or networks or taking an action (e.g., clicking a link, opening a document).

“Staying current and responsive to evolving cyber threats is critical to protecting patient safety. HICP 2023 is the updated version that our industry needs to make sure they are applying scarce resources to the highest threat. This will give the most underserved hospitals the best return on investment for cyber investment,” says Erik Decker, VP and chief information security officer of Intermountain Health and Chair of the Health Sector Coordinating Council Cybersecurity Working Group, Salt Lake City, UT.

Hospital Cyber Resiliency Landscape Analysis

Finally, the Hospital Cyber Resiliency Initiative Landscape Analysis leverages HICP 2023 to provide an overview of how U.S. hospitals are or are not protected against common cybersecurity threats. The report analyzes data from hundreds of hospitals, representing a diverse mix of hospital types and geographies, to identify both best practices and opportunities for improvement in hospital cyber resiliency.

“The Hospital Cyber Resiliency Initiative Landscape Analysis greatly furthers our understanding of hospital cyber resiliency and provides us with a platform to begin working through potential policy considerations and minimum standards to better support cybersecurity in U.S. hospitals. We look forward to working with hospitals, Congress, and the information security community as we look to improve cyber resiliency and protect patient safety and wellbeing,” says Palm.

HHS encourages all HPH Sector leaders to access these new resources to begin assessing their organizations’ cybersecurity programs.