On April 17, 2023, The U.S. Department of Health and Human Services (HHS) 405(d) Program announced the release of the following resources to help address cybersecurity concerns in the Healthcare and Public Health (HPH) Sector:
- Knowledge on Demand – a new online educational platform that offers free cybersecurity trainings for health and public health organizations to improve cybersecurity awareness.
- Health Industry Cybersecurity Practices (HICP) 2023 Edition – a foundational publication that aims to raise awareness of cybersecurity risks, provide best practices, and help the HPH Sector set standards in mitigating the most pertinent cybersecurity threats to the sector.
- Hospital Cyber Resiliency Initiative Landscape Analysis – PDF – a report on domestic hospitals’ current state of cybersecurity preparedness, including a review of participating hospitals benchmarked against standard cybersecurity guidelines such as HICP 2023 and the National Institute of Standards and Technology Cybersecurity Framework (NIST CSF).
These efforts are a key part of the Administration’s work to secure all of our Nation’s critical infrastructure from cyber threats.
Knowledge on Demand
The Knowledge on Demand platform marks the first time HHS has offered free cybersecurity trainings to the health sector workforce and reflects the Department’s continued commitment to supporting the HPH Sector’s defense against cyberattacks.
This new Knowledge on Demand platform offers awareness trainings on these five cybersecurity topics: social engineering, ransomware, loss or theft of equipment or data, insider accidental or malicious data loss, and attacks against network connected medical devices.
“Cyberattacks are one of the biggest threats facing our health care system today, and the best defense is prevention,” said Deputy Secretary Andrea Palm. “These trainings will serve as an asset to any sized organization looking to train staff in basic cybersecurity awareness and are offered free of charge, ensuring that those hospitals and health care organizations most vulnerable to attack can take steps toward resilience. This is part of HHS’s continued commitment to working with hospitals, Congress, and industry leaders in protecting America’s patients.”
All available trainings including videos, job aids and PowerPoints, can be accessed and launched directly from the 405(d) website. The platform is also home to the newly updated Health Industry Cybersecurity Practices (HICP) 2023 Edition Publication.
Health Industry Cybersecurity Practices 2023 Edition
The HHS 405(d) Program was developed in response to the Cybersecurity Act of 2015. Under Section 405(d), HHS convened the 405(d) Task Group to enhance cybersecurity and align industry approaches by developing a common set of voluntary, consensus-based, and industry-led cybersecurity guidelines, practices, methodologies, procedures, and processes that health care organizations can use. These are available in the program’s cornerstone publication HICP, which was published in 2018.
HICP 2023 has been updated by over 150 industry and federal professionals to include the most relevant and cost-effective ways to keep patients safe and mitigate the current cybersecurity threats that the HPH sector faces. This new edition of HICP includes a discussion of the dangerous threat of social engineering attacks as one of the top five threats facing the sector. These attacks are an attempt to trick someone into revealing information (e.g., a password) that can be used to attack systems or networks or taking an action (e.g., clicking a link, opening a document).
“Staying current and responsive to evolving cyber threats is critical to protecting patient safety. HICP 2023 is the updated version that our industry needs to make sure they are applying scarce resources to the highest threat. This will give the most underserved hospitals the best return on investment for cyber investment,” saidErik Decker, Vice President and Chief Information Security Officer of Intermountain Health and Chair of the Health Sector Coordinating Council Cybersecurity Working Group, Salt Lake City, UT.
Hospital Cyber Resiliency Landscape Analysis
The Hospital Cyber Resiliency Initiative Landscape Analysis leverages HICP 2023 to provide an overview of how U.S. hospitals are or are not protected against common cybersecurity threats. The report analyzes data from hundreds of hospitals, representing a diverse mix of hospital types and geographies, to identify both best practices and opportunities for improvement in hospital cyber resiliency.
“The Hospital Cyber Resiliency Initiative Landscape Analysis greatly furthers our understanding of hospital cyber resiliency and provides us with a platform to begin working through potential policy considerations and minimum standards to better support cybersecurity in U.S. hospitals. We look forward to working with hospitals, Congress, and the information security community as we look to improve cyber resiliency and protect patient safety and wellbeing.” said Deputy Secretary Andrea Palm.
HHS encourages all HPH Sector leaders to access these new resources to begin assessing their organizations’ cybersecurity programs. Cybersecurity requires us to be flexible and preemptive and HHS looks forward to helping the HPH sector uphold patient safety. To access these resources please visit the HHS 405(d) Website at 405d.hhs.gov.
