The U.S. Department of Health and Human Services (HHS) last Friday released a four volume set of voluntary cybersecurity practices to help healthcare organizations ranging from local clinics to large hospital systems deal with the menacing threats hackers pose.
Some 150 cybersecurity and healthcare experts from HHS and the private sector collaborated over two years to compile the publication, which was mandated by the Cybersecurity Act of 2015. The end goal was to develop practical cybersecurity guidelines to cost-effectively reduce cybersecurity risks for the healthcare industry. Officials called the initiative a “true public-private partnership to better secure the nation’s health systems.”
Material in the documents ranges from an overview of the threat landscape to specific cybersecurity practices for small, medium and large organizations. A volume of resources and templates is also included and a toolkit to help organizations prioritize threats and develop their own action plans is in development.
“Cybersecurity is everyone’s responsibility,” said Janet Vogel, HHS Acting Chief Information Security Officer. “In all of our efforts, we must recognize and leverage the value of partnerships among government and industry stakeholders to tackle the shared problems collaboratively.”
Here are the four documents:
- Health Industry Cybersecurity Practices: Managing Threats and Protecting Patients (HICP), which is the main document, examines cybersecurity threats and vulnerabilities that affect the healthcare industry. It explores five current threats and presents 10 practices to mitigate those threats.
- Technical Volume 1: Cybersecurity Practices for Small Health Care Organizations discusses the 10 cybersecurity practices along with sub-practices for small health care organizations.
- Technical Volume 2: Cybersecurity Practices for Medium and Large Health Care Organizations covers the 10 cybersecurity practices along with sub-practices for medium and large healthcare organizations.
- Resources and Templates: The Resources and Templates portion includes a variety of cybersecurity resources and templates for end users to reference.
Cybersecurity Practices Assessments Toolkit: This tool, still in development, is designed to help organizations prioritize their cyber threats and develop their own action plans using the assessment methodology outlined in the Resources and Templates volume.
“We heard loud and clear through this process that providers need actionable and practical advice, tailored to their needs, to manage modern cyber threats,” said Erik Decker, the University of Chicago Medicine's industry co-lead and chief information security and privacy officer.