HHS Cybersecurity Task Force makes 3 key resources available

At HIMSS23 on Monday, leaders with the HHS 405(d) Program discussed how the updated Health Industry Cybersecurity Practices 2023 Edition and other new tools can help providers and public health groups mitigate cyber threats.
By Mike Miliard
03:01 PM

Intermountain Health CISO Erik Decker, co-chair of the HHS 405(d) Task Group, says the updated HICP guidance helps healthcare organizations allocate resources to the most pressing threats – enabling better ROI for cybersecurity investments.

Photo: Mike Miliard/HIMSS Media

CHICAGO – At the HIMSS23 Healthcare Cybersecurity Forum on Monday, a leader with the Cybersecurity and Infrastructure Security Agency cited some sobering statistics, noting an 86% increase in cyberattacks against hospitals since 2021, with healthcare reporting more such incidents than any other industry.

In response to these escalating threats, the U.S. Department of Health and Human Services on Monday made available a trio of new reports and resources to help providers and public health agencies manage the challenges posed by bad actors whose frequent exploits are only growing in sophistication and severity.

The HHS 405(d) Program, in collaboration with the Health Sector Coordinating Council Cybersecurity Working Group, announced three new tools today.

Knowledge on Demand

This online educational platform offers healthcare organizations free cybersecurity training – the first time HHS has offered such services to the health sector workforce.

This platform offers awareness trainings on five cybersecurity topics:

  • social engineering.

  • ransomware.

  • loss or theft of equipment or data.

  • insider accidental or malicious data loss.

  • attacks against network connected medical devices.

The lessons – videos, PowerPoints and more – can be accessed and launched directly from the 405(d) website.

"Cyberattacks are one of the biggest threats facing our healthcare system today, and the best defense is prevention," said HHS Deputy Secretary Andrea Palm in a statement.

"These trainings will serve as an asset to any sized organization looking to train staff in basic cybersecurity awareness and are offered free of charge, ensuring that those hospitals and health care organizations most vulnerable to attack can take steps toward resilience. This is part of HHS's continued commitment to working with hospitals, Congress, and industry leaders in protecting America's patients."

Hospital Cyber Resiliency Landscape Analysis

This new 55-page survey (PDF) of the healthcare cybersecurity landscape is meant to benchmark participating hospitals against standard cybersecurity guidelines, such as HICP 2023 and the NIST Cybersecurity Framework.

The survey uses HICP 2023 as a lens through which to give an overview of how health systems are managing common cybersecurity threats, tracking data from hundreds of hospitals of various types and geographies, to spotlight existing best practices and new opportunities for improved resilience.

"The Hospital Cyber Resiliency Initiative Landscape Analysis greatly furthers our understanding of hospital cyber resiliency and provides us with a platform to begin working through potential policy considerations and minimum standards to better support cybersecurity in U.S. hospitals," said Palm. 

She added: "We look forward to working with hospitals, Congress, and the information security community as we look to improve cyber resiliency and protect patient safety and wellbeing." said Deputy Secretary Andrea Palm.

Health Industry Cybersecurity Practices, 2023 Edition

Healthcare IT News has reported often on HICP, touted as a cyber preparedness "cookbook" to help cash-strapped health systems, among other imperatives, prioritize and target their cybersecurity resources and get the most bang for their infosec investments.

The new 2023 Edition of HICP has been updated by more than 150 industry and federal professionals to include the most relevant and cost-effective ways to keep patients safe and mitigate the current cybersecurity threats that the HPH sector faces. 

The new edition includes a deep dive on social engineering attacks, labeling them as one of the biggest threats facing the healthcare industry today. 

"Staying current and responsive to evolving cyber threats is critical to protecting patient safety. HICP 2023 is the updated version that our industry needs to make sure they are applying scarce resources to the highest threat," said Erik Decker, chief information security officer of Intermountain Health and chair of the Health Sector Coordinating Council Cybersecurity Working Group, in a press statement. 

"This will give the most underserved hospitals the best return on investment for cyber investment," he said.

At the Healthcare Cybersecurity Forum on Monday, Decker offered a bit more insight about the HICP updates, and what the Hospital Cyber Resiliency Landscape Analysis shows about the state of health information security.

The landscape analysis was meant to be "as objective of review as we possibly could do," he said. And it was taken very much from an adversarial mindset: How are we getting beat as hospitals? And then we can understand how we're getting beat. And what does the resiliency side of this look like?

"We used HICP as the basis of the whole framework on how we would evaluate the resiliency itself and then found certain practices to be in urgent need of assistance and some practices to be generally OK or just needing some additional research," he added.

Among many telling observations in the survey, "we saw statistically significant correlation between ownership of the program," said Decker.

He explained: "If the CISO actually owns the program, you get better pickup coverage, which one would hope that that would be the case. But there's a lot of CISOs that actually don't own the full breadth of the cybersecurity program."

Another finding that "was great to hear and see," he said, "is that if you have good HICP coverage, [that] has a correlation to [good] NIST cybersecurity coverage. You would think that that would be the case: As you get better at HICP you're going to get intrinsically better at the Cybersecurity Framework itself, because the framework describes this whole program.

"With those two things," Decker added, "effectively, what we're seeing then is when you put more ownership with the CISO you're going to get better resiliency, you're going to get better outcomes."

Mike Miliard is executive editor of Healthcare IT News
Email the writer: mike.miliard@himssmedia.com

Healthcare IT News is a HIMSS publication.

Want to get more stories like this one? Get daily news updates from Healthcare IT News.
Your subscription has been saved.
Something went wrong. Please try again.