Risk Assessments/Management, Incident Response

What healthcare providers can do to strengthen cyber resiliency

New HHS HC3 guidance aims to support healthcare covered entities with bolstering their overall cyber resilience and enterprise posture (Photo credit: “Leaders go ‘Undercover Boss’ to improve patient care” by Army Medicine is licensed under CC BY 2.0.)

New cyber resiliency insights from the Department of Health and Human Services Cybersecurity Coordination Center aim to support healthcare providers in bolstering enterprise cyber posture to improve response in the wake of security incidents.

The guidance comes on the heels of a White House Healthcare Cybersecurity Executive Forum led by the National Cyber Director Chris Inglis, which brought together HHS leadership and U.S. government cybersecurity officials for a roundtable discussion on the state of cybersecurity in the healthcare and public health sectors.

The meeting took place just five years after the Health Care Industry Cybersecurity Task Force report on the overall challenges facing the healthcare sector that included one notable, and relatively unchanged statistic, that three out of four hospitals operate without a designated chief information security officer.

The leaders discussed progress made in the last five years, available Cybersecurity and Infrastructure Security Agency resources designed to combat critical infrastructure risks, and needed areas of focus. I am the Cavalry Founder Josh Corman recently shared similar insights with Congress.

The new insights tackle some of these challenges, targeting ongoing stakeholder calls to bolster healthcare cybersecurity to address the critical risks to patients posed by ransomware attacks and other cyber incidents that lead to disruptions in care operations. 

Mitre, for one, has long called on healthcare leaders to return to the basics and bolster incident response plans in light of threat actors continuing to target healthcare organizations with the exact intention of disrupting operations.

The guidance defines cyber posture and outlines the precise steps needed to strengthen enterprise security, with a keen focus on regularly conducted security posture assessments, consistent monitoring, vulnerability scans, and clear definitions  on just what department owns specific risks, as well as the benefits of adopting these approaches.

Covered entities can also leverage the guidance to find current threats to healthcare and best practices as defined by CISA, as well as the best ways to reduce the likelihood of an intrusion, quickly identify a possible intrusion, elements need for an effective response plan, and the need for tabletop exercises to find and eliminate gaps in the response.

The guidance also brings attention to the free security risk assessment tool provided by HHS. The agency recently updated the tool, which is designed to guide healthcare organizations through the assessment process. Risk assessments are required by the Health Insurance Portability and Accountability Act.

Healthcare providers are “responsible for handling vital and sensitive patient data.” Given the staunch increase in external attacks against the sector in the last few years, HHS is urging provider organizations to rely on the vast number of free resources to take action on cyber resiliency.

“In addition to being compliant with the law, organizations within the health sector should strive to do their best to stick to the mission of protecting patient data and sensitive information in our network from malicious threat actors,” HC3 officials concluded.

Jessica Davis

The voice of healthcare cybersecurity and policy for SC Media, CyberRisk Alliance, driving industry-specific coverage of what matters most to healthcare and continuing to build relationships with industry stakeholders.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.