The Department of Health and Human Services (HHS) announces the release of “Health Industry Cybersecurity Practices (HICP): Managing Threats and Protecting Patients.” The four-volume publication aims to provide voluntary cybersecurity practices to healthcare organizations of all types and sizes, ranging from local clinics to large hospital systems.
The industry-led effort was in response to a mandate set forth by the Cybersecurity Act of 2015 Section 405(d), to develop practical cybersecurity guidelines to cost-effectively reduce cybersecurity risks for the healthcare industry. The publication marks the culmination of a two-year effort that brought together more than 150 cybersecurity and healthcare experts from industry and the government under the Healthcare and Public Health Sector Critical Infrastructure Security and Resilience Public-Private Partnership.
“Cybersecurity is everyone’s responsibility,” says Janet Vogel, HHS Acting Chief Information Security Officer. “It is the responsibility of every organization working in healthcare and public health. In all of our efforts, we must recognize and leverage the value of partnerships among government and industry stakeholders to tackle the shared problems collaboratively.”
After all, HHS officials acknowledge, hackers can exploit medical technologies to gain access to personal patient data or render entire hospital systems inoperable. Recent cyber-attacks against the nation’s healthcare sector continue to highlight this reality, as well as the importance of keeping these technologies secure.
“The healthcare industry is truly a varied digital ecosystem,” says Erik Decker, industry co-lead and chief information security and privacy officer for the University of Chicago Medicine. “We heard loud and clear through this process that providers need actionable and practical advice, tailored to their needs, to manage modern cyber threats. That is exactly what this resource delivers; recommendations stratified by the size of the organization, written for both the clinician as well as the IT subject matter expert.”
Specifically, the HICP publication aims to provide cybersecurity practices for this vast, diverse, and open sector to ultimately improve the security and safety of patients. The main document of the publication explores the five most relevant and current threats to the industry. It also recommends 10 cybersecurity practices to help mitigate these threats.
The publication also lays out a call to action for all industry stakeholders, from C-suite executives and healthcare practitioners to IT security professionals, that protective and preventive measures must be taken now. It further includes two technical volumes geared for IT and IT security professionals: Technical Volume 1 focuses on cybersecurity practices for small healthcare organizations while Technical Volume 2 focuses on practices for medium and large healthcare organizations. The last volume provides resources and templates that organizations can leverage to assess their own cybersecurity posture, as well develop policies and procedures, HHS officials say.