[BreachExchange] HHS Releases Best Practice Healthcare Cybersecurity Guidelines

Inga Goddijn inga at riskbasedsecurity.com
Mon Dec 31 17:35:53 EST 2018


https://healthitsecurity.com/news/hhs-releases-best-practice-healthcare-cybersecurity-guidelines

The Department of Health and Human Services issued
<https://www.hhs.gov/about/news/2018/12/28/hhs-in-partnership-with-industry-releases-voluntary-cybersecurity-practices-for-the-health-industry.html>
cybersecurity guidelines for the healthcare sector on Friday, focused on
voluntary cybersecurity practices to reduce security risks and bolster
cybersecurity programs across the industry.

The four-volume publication dubbed *Health Industry Cybersecurity
Practices: Managing Threats and Protecting Patients* was drafted in
partnership with more than 150 cybersecurity healthcare and cybersecurity
leaders.

“Cybersecurity is everyone’s responsibility,” Janet Vogel, HHS Acting Chief
Information Security Officer, said in a statement. “It’s the responsibility
of every organization working in healthcare and public health.  In all of
our efforts, we must recognize and leverage the value of partnerships among
government and industry stakeholders to tackle the shared problems
collaboratively.”

Officials stressed that the practices outlined in the publication aren’t
requirements, given that “such a dogmatic approach is not effective given
the dynamic nature of cybersecurity threats and the fast pace of technology
evolution and adoption.”

The guidance doesn’t create new frameworks or rewrite specifications or
“reinvent the wheel,” and doesn’t “guarantee that these practices will aid
organizations in meeting their compliance and reporting obligations.”

Instead, officials said they leveraged NIST Cybersecurity Framework to
support and educate health professionals on cybersecurity language and help
organizations start the process of implementing and adopting cyber
practices.

Each volume addresses a specific topic, including one for small healthcare
organizations, another for medium and large providers, a third for
resources and templates for end users, and the last outlines cybersecurity
best practices around managing threats and protecting patient safety.

The volumes dedicated to small, medium, and large health organizations are
written for their IT and security professionals.

The guidance outlines best practices around cybersecurity for the industry,
presenting real-life events and statistics that explain the true cost and
risk to patient care posed by cyber threats. It includes five current
threats facing the industry and 10 practices to mitigate the threats.

Healthcare is a prime target for hackers given that its technologies are
crucial to providing care to patients, officials explained. The recent
onslaught of attacks on the sector have highlighted the need to secure
these technologies and close vulnerabilities.

The document also presented a call to action for all healthcare
stakeholders, which explained the need for preventative and protective
measures are needed now to address these threats. According to the document
list
<https://www.phe.gov/Preparedness/planning/405d/Pages/hic-practices.aspx>,
officials are still working on a cybersecurity practice assessments toolkit
to help organizations develop their own action plans.

“The healthcare industry is truly a varied digital ecosystem. We heard loud
and clear through this process that providers need actionable and practical
advice, tailored to their needs, to manage modern cyber threats,” Erik
Decker, industry co-lead and Chief Information Security and Privacy Officer
for the University of Chicago Medicine, said in a statement.

“That is exactly what this resource delivers: recommendations stratified by
the size of the organization, written for both the clinician as well as the
IT subject matter expert,” he added.

In the coming months, officials said they’ll work with stakeholders to
raise awareness and implement these cybersecurity best practices.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.riskbasedsecurity.com/pipermail/breachexchange/attachments/20181231/a3643b36/attachment.html>


More information about the BreachExchange mailing list