Threat Management, Critical Infrastructure Security, Compliance Management

HHS updates cybersecurity best practices, shares free workforce training

A pharmacy technician prepares inpatient medication orders

The Health Industry Cybersecurity Practices (HICP), one of the most critical cybersecurity resources for healthcare provider organizations, has been updated with two additional volumes and supporting mitigation resources.

The update was led by the Department of Health and Human Services 405(d) Program and the Health Sector Coordinating Council Cybersecurity Working Group (HSCC CWG), a joint effort between the federal government and health sector leaders to address the sector's most pressing cybersecurity challenges.

HICP was first issued in 2018 after a thorough industry analysis by the HHS task force, detailing the biggest vulnerabilities in the sector. The much-lauded, five-volume framework was created in partnership with over 150 healthcare and cybersecurity leaders.

While these measures are voluntary, the initial release was designed to educate health professionals on cybersecurity language and begin the process of implementing and adopting cyber practices based on the NIST Cybersecurity Framework, rather than the Health Insurance Portability and Accountability Act.

The April 17 update builds on past recommendations drafted after a thorough analysis by the HHS cyber task force at that time. Prior to the 2018 release, the analysis revealed staffing was one of the largest issues facing the sector, with three out of four healthcare entities operating without a security leader.

The updated materials focus on the most relevant and cost-effective ways to bolster cybersecurity across the enterprise and includes the top threats facing the sector: social engineering, ransomware, theft or loss of equipment, data loss, and network cyberattacks against medical devices — all of which could impact patient safety.

There’s also a keen focus on social engineering and its critical risk to the sector, as insider risk has remained a top access point for healthcare organizations for the last several years.

Free HHS cybersecurity training aimed at protecting patient safety

For Erik Decker, vice president and CISO of Intermountain Health, and chair of the Health Sector Coordinating Council Cybersecurity Working Group, the updated HICP is needed by healthcare entities as they work to apply “scarce resources to the highest threat. This will give the most underserved hospitals the best return on investment for cyber investment.” 

“Staying current and responsive to evolving cyber threats is critical to protecting patient safety,” Decker added in a statement.

The release aims to raise awareness and support workforce training to reduce risk around these key areas, through the updated guidance and new Knowledge on Demand educational platform that will provide free cybersecurity training to strengthen awareness across the enterprise around these identified threats.

It’s the first free cybersecurity training offering provided by HHS, which officials say reflects their commitment to supporting the sector’s ongoing cyber defense efforts. The new site comes on the heels of an HSCC cyber video series directed to clinicians to support basic measures for users and their role in keeping data secure.

HHS also issued a new report on the current state of cyber preparedness, which includes a review from participating hospitals benchmarked against these standards. Created from data provided by hundreds of hospitals, the analysis was used to identify best practices and room for improvement when it comes to cyber resiliency in the hospital space.

Officials say today’s effort is part of the Biden administration’s ongoing focus on securing U.S. critical infrastructure from cyber threats.

“Cyberattacks are one of the biggest threats facing our healthcare system today, and the best defense is prevention,” said HHS Deputy Secretary Andrea Palm, in a statement. As such, the training resources should be viewed as an asset in ongoing basic security awareness training

By providing these videos without charge, “hospitals and healthcare organizations most vulnerable to attack can take steps toward resilience,” Palm added. “This is part of HHS’s continued commitment to working with hospitals, Congress, and industry leaders in protecting America’s patients.”

Healthcare entities are urged to review the data on the latest and most pressing threats, as well as the supporting resources in an effort to shift into a more proactive cyber approach.

Jessica Davis

The voice of healthcare cybersecurity and policy for SC Media, CyberRisk Alliance, driving industry-specific coverage of what matters most to healthcare and continuing to build relationships with industry stakeholders.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.