New cyber resiliency insights from the Department of Health and Human Services Cybersecurity Coordination Center aim to support healthcare providers in bolstering enterprise cyber posture to improve response in the wake of security incidents.

The guidance comes on the heels of a White House Healthcare Cybersecurity Executive Forum led by the National Cyber Director Chris Inglis, which brought together HHS leadership and U.S. government cybersecurity officials for a roundtable discussion on the state of cybersecurity in the healthcare and public health sectors.

The meeting took place just five years after the Health Care Industry Cybersecurity Task Force report on the overall challenges facing the healthcare sector that included one notable, and relatively unchanged statistic, that three out of four hospitals operate without a designated chief information security officer.

The leaders discussed progress made in the last five years, available Cybersecurity and Infrastructure Security Agency resources designed to combat critical infrastructure risks, and needed areas of focus. I am the Cavalry Founder Josh Corman recently shared similar insights with Congress.

The new insights tackle some of these challenges, targeting ongoing stakeholder calls to bolster healthcare cybersecurity to address the critical risks to patients posed by ransomware attacks and other cyber incidents that lead to disruptions in care operations. 

Mitre, for one, has long called on healthcare leaders to return to the basics and bolster incident response plans in light of threat actors continuing to target healthcare organizations with the exact intention of disrupting operations.

The guidance defines cyber posture and outlines the precise steps needed to strengthen enterprise security, with a keen focus on regularly conducted security posture assessments, consistent monitoring, vulnerability scans, and clear definitions  on just what department owns specific risks, as well as the benefits of adopting these approaches.

Covered entities can also leverage the guidance to find current threats to healthcare and best practices as defined by CISA, as well as the best ways to reduce the likelihood of an intrusion, quickly identify a possible intrusion, elements need for an effective response plan, and the need for tabletop exercises to find and eliminate gaps in the response.

The guidance also brings attention to the free security risk assessment tool provided by HHS. The agency recently updated the tool, which is designed to guide healthcare organizations through the assessment process. Risk assessments are required by the Health Insurance Portability and Accountability Act.

Healthcare providers are “responsible for handling vital and sensitive patient data.” Given the staunch increase in external attacks against the sector in the last few years, HHS is urging provider organizations to rely on the vast number of free resources to take action on cyber resiliency.

“In addition to being compliant with the law, organizations within the health sector should strive to do their best to stick to the mission of protecting patient data and sensitive information in our network from malicious threat actors,” HC3 officials concluded.