The effort is led by the HHS 405(d) program and the Health Sector Coordinating Council Cybersecurity Working Group (HSCC CWG), part of a collaborative effort between the federal government and the industry, to address cybersecurity in the healthcare sector.

Resources include a new platform, Knowledge on Demand, to provide free cybersecurity training to healthcare personnel, as well as an update to the 2023 edition of the industry’s cybersecurity practices. health and a landscape analysis of the Hospital Cyber ​​Resilience Initiative.

On April 17, 2023, the U.S. Department of Health and Human Services (HHS) 405(d) program announced the release of the following resources to help address cybersecurity issues in the healthcare and healthcare industry public (HPH):

  • Knowledge on demand – a new online educational platform that offers free cybersecurity training for health and public health organizations to improve cybersecurity awareness.
  • Healthcare Industry Cybersecurity Practices (HICP) 2023 Edition a foundational publication that aims to raise awareness of cybersecurity risks, provide best practices, and help the HPS industry set standards to mitigate cybersecurity threats most relevant to the industry.
  • Landscape Analysis of the Hospital Cyber ​​Resilience Initiative – a report on the current state of cybersecurity readiness of national hospitals, including a review of participating hospitals against standard cybersecurity guidelines such as HICP 2023 and the National Institute of Standards and Technology Cybersecurity Framework (NIST CSF ).

These efforts are a key part of the Administration’s work to secure all of our nation’s critical infrastructure from cyber threats.

Knowledge on demand

The Knowledge on Demand platform marks the first time HHS has offered free cybersecurity training to healthcare personnel and reflects the Department’s ongoing commitment to supporting the defense of the HPH industry against cyberattacks.

This new Knowledge on Demand platform offers awareness training on these five cybersecurity topics: social engineering, ransomware, loss or theft of equipment or data, accidental or malicious insider data loss, and attacks on connected medical devices. to the network.

“Cyberattacks are one of the greatest threats facing our healthcare system today, and the best defense is prevention,” said Under Secretary Andrea Palm. “These trainings will serve as an asset to organizations of any size looking to train staff in basic cybersecurity awareness and are offered free of charge, ensuring that hospitals and healthcare organizations most vulnerable to attack can take measures towards resilience. This is part of HHS’s ongoing commitment to work with hospitals, Congress and industry leaders to protect American patients.

All available training, including videos, job aids, and PowerPoint presentations, can be viewed and launched directly from the 405(d) website. The platform is also home to the new update Healthcare Industry Cybersecurity Practices (HICP) 2023 Edition Publication.

Healthcare Industry Cybersecurity Practices 2023 Edition

The HHS 405(d) program was developed in response to the Cybersecurity Act of 2015. Under the 405(d), HHS convened the 405(d) task force to improve cybersecurity and align industry approaches by developing a common set of voluntary and consensual agreements. Sector-based and industry-led cybersecurity guidelines, practices, methodologies, procedures, and processes that healthcare organizations can use. These are available in the fundamental publication of the HICP programme, which was published in 2018.

The 2023 HICP has been updated by more than 150 industry and federal government professionals to include the most relevant and cost-effective ways to keep patients safe and mitigate today’s cybersecurity threats facing the HPS sector is facing. This new edition of the HICP includes a discussion of the dangerous threat of social engineering attacks as one of the top five threats facing the sector. These attacks are an attempt to trick someone into revealing information (for example, a password) that can be used to attack systems or networks or perform an action (for example, clicking on a link, opening a document).

“Staying up-to-date and responsive to evolving cyber threats is critical to protecting patient safety. The HICP 2023 is the updated version our industry needs to ensure it applies scarce resources to the highest threat. This will give the most underserved hospitals the greatest ROI for cyber investments,” said Erik Decker, Vice President and Chief Information Security Officer of Intermountain Health and Chair of the Cybersecurity Task Force. of the Health Sector Coordinating Council, Salt Lake City, UT.

Analysis of the hospital cyber-resilience landscape

The Hospital Cyber ​​Resiliency Initiative’s landscape analysis draws on the 2023 HICP to provide insight into how U.S. hospitals are or are not protected against common cybersecurity threats. The report analyzes data from hundreds of hospitals, representing a diverse mix of hospital types and geographies, to identify both best practices and opportunities for improvement in hospital cyber resilience.

“The Hospital Cyber ​​Resiliency Initiative landscape analysis greatly deepens our understanding of hospital cyber resilience and provides us with a platform to begin working on potential policy considerations and minimum standards to better support the cybersecurity in American hospitals. We look forward to working with hospitals, Congress, and the information security community as we seek to improve cyber resilience and protect patient safety and well-being. said Undersecretary Andrea Palm.

HHS encourages all HPH leaders to access these new resources to begin evaluating their organizations’ cybersecurity programs. Cybersecurity demands that we be flexible and proactive, and HHS looks forward to helping the HPH sector keep patients safe. To access these resources, please visit the HHS 405(d) website at 405d.hhs.gov.