The Department of Health and Human Services (HHS) has issued a draft of new cybersecurity resources to guide healthcare companies in their response to cyberattacks.
The Health Industry Cybersecurity Practices document – which includes input from industry and Federal cybersecurity professionals – provides guidelines for core cybersecurity best practices for hospitals, and sets parameters for cybersecurity information sharing with the Federal government.
“While innovation and increasing sophistication in health information technology is a cause for optimism and holds the promise to help address some our most intractable problems, whether in clinical care, fundamental research, population health or health system design, our technology will work for us only if it is secure,” Andrea Palm, HHS deputy secretary, noted in a letter included in the guidance.
“Information systems are crucial to today and tomorrow’s healthcare system, so we must take every step possible to protect them,” she added.
The publication sets forth voluntary, consensus-based, and industry-led guidelines, best practices, methodologies, procedures, and processes to achieve three core goals:
- Cost-effectively reduce cybersecurity risks for the Healthcare and Public Health sector;
- Support the voluntary adoption and implementation of its recommendations; and
- Ensure that content is actionable, practical, and relevant to healthcare stakeholders of every size and resource level on an ongoing basis.
The new resources come amid an increase in cyberattacks across the healthcare sector. In her letter, Palm explained that for the healthcare sector, cyberattacks are especially concerning because they “directly threaten not just the security of our systems and information, but also the health and safety of the American public.”
Recognizing that cybersecurity recommendations are rarely one-size-fits-all solutions, the publication compiles practices specific to healthcare organizations of varying sizes, ranging from small physician practices to large university hospital systems.
HHS first began publishing this type of guidance in 2018 from the 405(d) task group, which includes industry and government experts who convene together to establish a consensus-based set of cybersecurity guidelines for the healthcare sector. HHS’s 405(d) task group was established in response to the Cybersecurity Act of 2015.