The U.S. Department of Health and Human Services (HHS), through the Administration for Strategic Preparedness and Response (ASPR), released a cybersecurity implementation guide to help the public and private healthcare sectors prevent cybersecurity incidents.

The Cybersecurity Framework Implementation Guide provides specific steps that health care organizations can take immediately to manage cyber risks to their information technology systems.

Further reading: Best Practices for Thwarting Medical Device Cyberattacks

“Cyber incidents pose risks to patient data, intellectual property, scientific or laboratory research, medical manufacturing, and ultimately the ability of health care organizations to safely serve their patients,” says HHS Deputy Secretary Andrea Palm. “The release of this guide will help health care organizations become better equipped to assess and improve their cybersecurity.”

An HHS and HSCC Collaboration

The guide was jointly developed by HHS ASPR and the Health Sector Coordinating Council (HSCC) Cybersecurity Working Group, a public-private partnership under Presidential Policy Directive 21.  The National Institute for Standards and Technology (NIST) and other federal agencies contributed substantially to its content. Recent high-profile cyberattacks reinforce the need for companies and organizations to assess their cyber health and resilience and take actions to improve cybersecurity.

Cyber incidents can cause doctors to lose access to critical monitoring and record systems, patients may need to be transferred to different facilities which can delay their care, and equipment can go down forcing the use of manual processes—impacting the safety and wellbeing of patients.

“Health care cyberattacks are among the fastest growing type of cybercrime – jeopardizing patient care, damaging the integrity of health care systems, and threatening the U.S. economy,” says Assistant Secretary for Preparedness and Response Dawn O’Connell. “Health care organizations must safeguard their information technology systems to help prevent attacks and create a culture of cyber safety in the health care industry.”

The guide serves as a roadmap for healthcare and private health sector organizations to implement the NIST Cybersecurity Framework, including:

  • Guiding risk management principles and best practices
  • Providing common language to address and manage cybersecurity risk
  • Outlining a structure for organizations to understand and apply cybersecurity risk management
  • Identifying effective standards, guidelines, and practices to manage cybersecurity risk cost-effectively based on business needs

The 2018 NIST Framework for Improving Critical Infrastructure Cybersecurity is a risk management model that has become the standard for government agencies and industry in managing cybersecurity risks. The guide released today adapts the 2018 NIST Framework for health care organizations. Using the guide released today, health care organizations, will be better equipped to implement the security framework using their existing security measures with minimal disruptions to their current operations.

“This is another great step forward in strengthening the partnership between HHS and the Health Sector Coordinating Council,” says HHS Chief Information Security Officer La Monte R. Yarborough. “This Framework Implementation Guide joins a growing list of jointly produced resources that are aligned with the NIST framework – allowing organizations of all sizes to implement cybersecurity best practices, protect their patients, and make the sector more resilient.”