Today, the Health Sector Coordinating Council (HSCC) Cybersecurity Working Group and the U.S. Department of Health and Human Services (HHS) jointly released a guide to help the public and private healthcare sectors align their cybersecurity programs with the NIST Cybersecurity Framework (CSF). The Cybersecurity Framework Implementation Guide provides specific steps that health care organizations can take immediately to manage cyber risks to their information technology systems and reduce the number of cyber incidents affecting the sector. Recent high-profile cyberattacks reinforce the need for health providers and organizations to assess their cyber health and take actions to improve cybersecurity.
The guide was jointly developed by the HHS and HSCC – a public-private partnership for critical infrastructure protection. The National Institute for Standards and Technology (NIST) and other federal agencies contributed substantially to its content.
“This publication is an example of an innovative partnership that industry and government leveraged to develop actionable recommendations for higher competency and accountability in healthcare cybersecurity,” observed HSCC Cybersecurity Working Group Chair and Intermountain Healthcare CISO Erik Decker. “The guide supplements an earlier joint publication of the HHS/HSCC 405(d) Program – the ‘Health Industry Cybersecurity Practices’ –which is aligned with the NIST Cybersecurity Framework. With this toolkit, organizations of all sizes can implement cybersecurity best practices, protect their patients, and make the sector more resilient,” Decker said.
The 2018 NIST Framework for Improving Critical Infrastructure Cybersecurity is a risk management model that has become the standard for government agencies and industry in managing cybersecurity risks. The guide released today adapts the 2018 NIST Framework for health care organizations. With this guide, health care organizations will be better equipped to implement the security framework using their existing security measures with minimal disruptions to their current operations.
“Health care cyberattacks are among the fastest growing type of cybercrime – jeopardizing patient care, damaging the integrity of health care systems, and threatening the U.S. economy,” said Assistant Secretary for Preparedness and Response Dawn O’Connell. “Health care organizations must safeguard their information technology systems to help prevent attacks and create a culture of cyber safety in the health care industry.”
Using this guide, health care organizations can assess their current cybersecurity practices and risks, and identify gaps for remediation. The guide serves as a roadmap for healthcare and private health sector organizations to implement the NIST Cybersecurity Framework, including:
- Guiding risk management principles and best practices
- Providing common language to address and manage cybersecurity risk
- Outlining a structure for organizations to understand and apply cybersecurity risk management
- Identifying effective standards, guidelines, and practices to manage cybersecurity risk cost-effectively based on business needs
Bryan Cline, the industry lead for the guide and Chief Research Officer for HITRUST added, “With data breaches having doubled over the past five years and ransomware attacks reaching almost 400 in the same period, it is clear that the healthcare industry needs to up its game. Health industry stakeholders of all sizes and subsectors can reduce their cyber risk exposure by implementing this resource and many others produced by the HSCC and government partners,” he said.
About the HSCC Joint Cybersecurity Working Group
The Healthcare and Public Health Sector Coordinating Council (HSCC) is an advisory council of healthcare entities organized under the National Infrastructure Protection Plan to partner with the government in the identification and mitigation of strategic threats and vulnerabilities facing the sector’s ability to deliver services and assets to the public. The HSCC Joint Cybersecurity Working Group (CWG) is composed of almost 400 industry and government organizations working together to develop strategies to address emerging and ongoing cybersecurity challenges to the health sector.