- The Department of Health and Human Services issued cybersecurity guidelines for the healthcare sector on Friday, focused on voluntary cybersecurity practices to reduce security risks and bolster cybersecurity programs across the industry.
The four-volume publication dubbed Health Industry Cybersecurity Practices: Managing Threats and Protecting Patients was drafted in partnership with more than 150 cybersecurity healthcare and cybersecurity leaders.
“Cybersecurity is everyone’s responsibility,” Janet Vogel, HHS Acting Chief Information Security Officer, said in a statement. “It’s the responsibility of every organization working in healthcare and public health. In all of our efforts, we must recognize and leverage the value of partnerships among government and industry stakeholders to tackle the shared problems collaboratively.”
Officials stressed that the practices outlined in the publication aren’t requirements, given that “such a dogmatic approach is not effective given the dynamic nature of cybersecurity threats and the fast pace of technology evolution and adoption.”
The guidance doesn’t create new frameworks or rewrite specifications or “reinvent the wheel,” and doesn’t “guarantee that these practices will aid organizations in meeting their compliance and reporting obligations.”
Instead, officials said they leveraged NIST Cybersecurity Framework to support and educate health professionals on cybersecurity language and help organizations start the process of implementing and adopting cyber practices.
Each volume addresses a specific topic, including one for small healthcare organizations, another for medium and large providers, a third for resources and templates for end users, and the last outlines cybersecurity best practices around managing threats and protecting patient safety.
The volumes dedicated to small, medium, and large health organizations are written for their IT and security professionals.
“We heard loud and clear through this process that providers need actionable and practical advice, tailored to their needs, to manage modern cyber threats.”
The guidance outlines best practices around cybersecurity for the industry, presenting real-life events and statistics that explain the true cost and risk to patient care posed by cyber threats. It includes five current threats facing the industry and 10 practices to mitigate the threats.
Healthcare is a prime target for hackers given that its technologies are crucial to providing care to patients, officials explained. The recent onslaught of attacks on the sector have highlighted the need to secure these technologies and close vulnerabilities.
The document also presented a call to action for all healthcare stakeholders, which explained the need for preventative and protective measures are needed now to address these threats. According to the document list, officials are still working on a cybersecurity practice assessments toolkit to help organizations develop their own action plans.
“The healthcare industry is truly a varied digital ecosystem. We heard loud and clear through this process that providers need actionable and practical advice, tailored to their needs, to manage modern cyber threats,” Erik Decker, industry co-lead and Chief Information Security and Privacy Officer for the University of Chicago Medicine, said in a statement.
“That is exactly what this resource delivers: recommendations stratified by the size of the organization, written for both the clinician as well as the IT subject matter expert,” he added.
In the coming months, officials said they’ll work with stakeholders to raise awareness and implement these cybersecurity best practices.