Healthcare and Public Health Cybersecurity
With its focus on caring for people, the Healthcare and Public Health (HPH) sector touches each of our lives in powerful ways. Today, much of the work the HPH sector carries out is based in the digital world, leveraging technology to store patient and medical information, carrying out medical procedures, communicating with patients, and more. Any disruptions to the HPH digital ecosystem can impact patient safety, create openings for identity theft, and expose intellectual property among other damaging effects.
To help improve cybersecurity within the HPH sector, the Cybersecurity and Infrastructure Security Agency (CISA), the Department of Health and Human Services (HHS), and Health Sector Coordinating Council (HSCC) Cybersecurity Working Group are working together to deliver tools, resources, training, and information that can help organizations within this sector. Together, CISA brings technical expertise as the nation’s cyber defense agency, HHS offers extensive expertise in healthcare and public health, and the HSCC Cybersecurity Working Group offers the practical expertise of industry experts working cybersecurity issues in HPH every day.
How to Use this Toolkit
This toolkit consolidates key resources for HPH organizations at every level. Starting with the fundamental cyber hygiene steps that every organization and individual should take, the toolkit can help organizations within the HPH sector build their cybersecurity foundation and progress to implement more advanced, complex tools to strengthen their defenses and stay ahead of current threats.
Because cybersecurity is one of many areas where the Healthcare and Public Health sector is facing persistent challenges, CISA and HHS are providing this toolkit filled with remedies to give sector stakeholders a greater ability to proactively assess vulnerabilities and implement solutions.
U.S. Department of Health and Human Services Releases Cybersecurity Performance Goals for the Healthcare Sector
On January 25, the U.S. Department of Health and Human Services published voluntary healthcare specific Cybersecurity Performance Goals to help healthcare organizations prioritize implementation of high-impact cybersecurity practices.
Cybersecurity isn't one size fits all. Different healthcare entities have distinct strengths and weaknesses and a wide range of needs. Regardless of where an organization fits into the picture, these resources can help build a cybersecure foundation.
CISA offers industry best practices and resources on training and exercises, incident response planning, priority telecoms services, cyber resilience, tackling ransomware and much more to help healthcare organizations strengthen their defenses.
Recognizing that the nation’s healthcare systems and providers have been under severe resource constraints—especially since the start of COVID-19—members of the HPH sector should actively take steps to address their constraints.
Collaborate, Stay Informed, and Share Information Voluntarily
Voluntarily sharing of information about cyber-related events that threaten critical infrastructure organizations is critical to creating a better, more holistic understanding of the threat environment for all healthcare organizations.
What You Can Do
- OBSERVE the activity
- ACT by taking local steps to mitigate the threat
- REPORT the event
Types of Activity to Share
Unauthorized access to your system
Denial of Service (DOS) attacks that last more than 12 hours
Malicious code on your systems, including variants if known
Targeted and repeated scans against services on your systems
Repeated attempts to gain unauthorized access to your system
Email or mobile messages associated with phishing attempts or successes
Ransomware against Critical Infrastructure, include variant and ransom details if known
Connect with CISA's Regional Team
CISA offers a range of cyber and physical services to support the security and resilience of critical infrastructure owners and operators—including healthcare and public health— and state, local, tribal, and territorial partners.
Find opportunities to collaborate with private sector and government partners, best practices and guidance for improving enterprise cybersecurity, and help preparing for, responding to, and recovering from significant cyber and physical threats.
U.S. Department of Health and Human Resources (HHS): HHS is the Sector Risk Management Agency for the healthcare and public health sector.
This toolkit focuses primarily on cybersecurity resources, but CISA has a wide array of offerings to help the HPH sector and other critical infrastructure organizations improve their security and resilience. Here are some more resources to explore.
Advisories, Alerts, and Other Information
Stakeholders can join the HC3 listserv to receive immediate notification of products and invitations to monthly threat briefings by emailing HC3@hhs.gov.
CISA’s Automated Indicator Sharing (AIS) platform provides a public feed for real-time sharing of cyber threat intelligence.
The NCAS provides cybersecurity advisories that often include information tailored for health and public health.
Sign up for the Joint Cyber Defense Collaborative ‘Industry Exchange’ Community of Interest (COI)
CISA’s Homeland Security Information Network (HSIN). HSIN is a secure, trusted environment where federal, state, local, territorial, tribal, international and private sector partners receive Sensitive But Unclassified information up to the TLP:GREEN
Healthcare and Public Health Sector Highlights
HHS’s Office of Critical Infrastructure Protection distributes weekly bulletins. Request to be added to the Cybersecurity Edition and find bulletins on other critical infrastructure topics at the CIP Bulletins webpage.
This CISA Mitigation Guide offers recommendations and best practices to combat pervasive cyber threats affecting the Healthcare and Public Health (HPH) Sector.