HHS Cybersecurity Task Force Releases New Resources to Address Rise in Healthcare Cyberattacks

April 17, 2023 - The HHS 405(d) Program and the Health Sector Coordinating Council Cybersecurity Working Group (HSCC CWG) led efforts to release three new and updated resources to help healthcare organizations manage cybersecurity risks.

The newly released resources include the 2023 edition of the Health Industry Cybersecurity Practices (HICP), a publication that aims to raise awareness of healthcare cybersecurity risks by providing best practices.

Originally published in 2018, the HICP is a multi-volume publication that contains a set of voluntary, consensus-based cybersecurity guidelines. HICP 2023 includes input from more than 150 industry experts and places emphasis on providing cost-effective ways to mitigate cyber threats.

“Staying current and responsive to evolving cyber threats is critical to protecting patient safety. HICP 2023 is the updated version that our industry needs to make sure they are applying scarce resources to the highest threat,” said Erik Decker, vice president and chief information security officer at Intermountain Health and chair of the HSCC CWG. “This will give the most underserved hospitals the best return on investment for cyber investment.”

In addition, the HHS Cybersecurity Task Force announced the launch of Knowledge on Demand, a new online educational platform that will offer free cybersecurity trainings for healthcare organizations. The trainings will focus on social engineering, loss or theft of equipment or data, insider accidental or malicious data loss, attacks against network connected medical devices, and ransomware.

“Cyberattacks are one of the biggest threats facing our health care system today, and the best defense is prevention,” said HHS Deputy Secretary Andrea Palm.

“These trainings will serve as an asset to any sized organization looking to train staff in basic cybersecurity awareness and are offered free of charge, ensuring that those hospitals and health care organizations most vulnerable to attack can take steps toward resilience. This is part of HHS’s continued commitment to working with hospitals, Congress, and industry leaders in protecting America’s patients.”

Lastly, the HHS Cybersecurity Task Force issued a report that assessed the current state of cybersecurity preparedness at domestic hospitals, entitled the “Hospital Cyber Resiliency Landscape Analysis.”

The report leveraged data from hundreds of hospitals and measured it against HICP 2023 guidelines.

“The Hospital Cyber Resiliency Initiative Landscape Analysis greatly furthers our understanding of hospital cyber resiliency and provides us with a platform to begin working through potential policy considerations and minimum standards to better support cybersecurity in U.S. hospitals,” Palm stated.

“We look forward to working with hospitals, Congress, and the information security community as we look to improve cyber resiliency and protect patient safety and wellbeing.”

HHS encouraged healthcare organizations to dive into these resources and use them to inform their internal security programs.