Healthcare and Public Health Sector

Hospital; Sorry We're Closed; EmergencyCybersecurity threats to healthcare organizations and patient safety are real. Health information technology provides critical life-saving functions and consists of connected, networked systems that leverages wireless technologies, which in turn leave such systems more vulnerable to cyber-attacks. Recent highly publicized ransomware attacks on hospitals, for example, necessitated diverting patients to other hospitals and led to an inability to access patient records to continue care delivery. Such cyber-attacks can also expose sensitive patient information and lead to substantial financial costs to regain control of hospital systems and patient data. From small, independent practitioners to large, integrated health systems, cyber-attacks on healthcare records, IT systems, and medical devices have infected even the most protected systems. 

Given the increasingly sophisticated and widespread nature of cyber-attacks, the healthcare industry must make cybersecurity a priority and make the appropriate investments needed to protect its patients.

Like combatting a deadly virus, cybersecurity requires mobilization and coordination of resources across a myriad of public and private stakeholders, including hospitals, IT vendors, medical device manufacturers, and governments (state, local, tribal, territorial, and federal) to mitigate the risks and minimize the impacts of a cyber-attack.  Most importantly, cybersecurity is a shared responsibility, a team effort.  It is not solely an IT issue; it is an enterprise issue with impacts to mission, business, and programs.  For the health industry, it is fundamentally about patient safety and uninterrupted care delivery. Cyber Safety is Patient Safety!

Department of Health & Human Services USAFew issues are more important than ensuring the health sector's safety, security, and integrity relied upon by millions of American citizens. As the Sector Risk  Management Agency (SMRA), the Department of Health and Human Services (HHS) has a lead role in improving the safety, resilience, and security of the sector.  Specifically, the HHS Cybersecurity Program through the Office of Information Security has invested in major initiatives and partnerships to serve the needs of the sector, the HHS 405(d) - Aligning Healthcare Industry Security Approaches Program and the Health Sector Cybersecurity Coordination Center (HC3).  Below is more information about these programs and resources that the HPH sector can turn to related to ransomware. 

HHS 405(d) – Aligning Healthcare Industry Security Approaches

In response to the Cybersecurity Act of 2015, Section 405(d), HHS in partnership with industry established the 405(d) Aligning Healthcare Security Approaches Program. Designed to be the leading collaboration center of the Office of the Chief Information Officer/Office of Information Security, the 405(d) program is focused on providing the HPH sector with useful and impactful resources, products, and tools that help raise awareness and provide vetted cybersecurity practices, which drive behavioral change and move towards consistency in mitigating the most relevant cybersecurity threats to the sector.

Health Industry Cybersecurity Practices: Managing Threats and Protecting Patients (HICP)

Health Industry Cybersecurity Practices: Managing Threats and Protecting Patients (HICP), the primary publication of the Cybersecurity Act of 2015, Section 405(d) Task Group, aims to raise awareness, provide vetted cybersecurity practices, and move organizations towards consistency in mitigating the current most pertinent cybersecurity threats to the sector. The HICP examines cybersecurity threats and vulnerabilities that affect the healthcare industry. It explores (5) current threats, to include Ransomware, and presents (10) practices to mitigate those threats. The publication includes a main document, two technical volumes, and resources and templates.

Additional 405(d) Resources

In the past year the 405(d) Program has grown its reach and continues to pursue its mission of Aligning Health Care Industry Security Approaches.  The 405(d) program is now able to assist with many of your cybersecurity needs.  Whether it’s instituting a cybersecurity program structure using HICP, or educating your staff on cybersecurity, we are here for you.  Check us out on Social Media @ Ask405d across LinkedIn, Twitter, Facebook, an Instagram. Also please feel free to email us at Cisa405d@hhs.gov

Health Sector Cybersecurity Coordination Center (HC3) 

The HC3 is part of the Department of Health and Human Services’ Cybersecurity Program. HC3’s mission is to support the defense of the healthcare and public health sector’s information technology infrastructure. This group advances the agency’s efforts to coordinate and share information within the sector by cultivating cybersecurity resilience, regardless of organizations’ technical capacity. HC3 develops education and mitigation resources while fostering HPH sector collaboration and partnerships.

Additional HC3 Resources: www.hhs.gov/hc3. To get the latest alerts from HC3 or be invited to the HC3 webinars, please contact HC3@hhs.gov.

Supporting Ransomware Awareness Products