Recommended Cybersecurity Practices
-
-
May 8, 2023 – Hospital Cyber Resiliency Landscape Analysis (Health Industry and HHS 405(d) Joint Publication)
The HPH Sector has faced dramatic increases in cyber-attacks intended to cause disruption to the care continuum. In response to this growing threat, the HHS 405(d) Program conducted Landscape Analysis, which reviewed active threats attacking hospitals and the cybersecurity capabilities of hospitals operating in the United States. - April 20, 2023 – Health Industry Cybersecurity Recommendations for Government Policy and Programs
- Cyber threats to the healthcare sector are a well-documented reality of modern healthcare delivery. Ransomware attacks against hospitals, clinics, service providers, and other healthcare delivery organizations (HDOs) routinely deny access to patient records, billing systems, and other digital technologies deployed throughout modern healthcare environments.
-
April 17, 2023 – Health Industry Cybersecurity Practices 2023 – The HICP 2023 is an update to the 2019 HICP publication developed jointly by the HSCC and HHS. It provides executives, health care practitioners, providers, and health delivery organizations, such as hospitals, with best practices for managing cyberthreats to safeguard patient safety.
- April 5, 2023 – Cybersecurity for the Clinician Video Training Series – This 8-part video training series totaling 47 minutes explains in non-technical language what clinicians and students in the medical profession need to understand about how cyber attacks can affect clinical operations and patient safety, and how to help keep healthcare data, systems and patients safe from cyber threats.
- March 8, 2023 – HPH Sector Cybersecurity Framework Implementation Guide (Health Industry and HHS Joint Publication) – Using this guide, health care organizations can assess their current cybersecurity practices and risks and identify gaps for remediation. The guide serves as a roadmap for healthcare and private health sector organizations to implement the NIST Cybersecurity Framework.
- March 2, 2023 – Health Industry Cybersecurity – Managing Legacy Technology Security (HIC-MaLTS) – a comprehensive guide to address the management of cyber risk caused by legacy technologies used in healthcare environments. It recommends cybersecurity strategies that both manufacturers and health providers can implement for legacy medical technology as a shared responsibility in the clinical environment and provides insights for designing future devices that are more secure. A brief summary is found here. Also, HealthCareInfoSecurity Webinar on HSCC Guide for “Managing Legacy Technology Security“
- February 6, 2023 – Health Industry Cybersecurity Artificial Intelligence Machine Learning – An overview and discussion of 9 specific cybersecurity considerations for the implementation of A.I. in a clinical and enterprise environment.
- April 29, 2022 – Operational Continuity Cyber Incident (OCCI) : This Operational Continuity Cyber Incident (OCCI) checklist is intended to provide a flexible template for operational staff and executive management to respond to and recover from an extended enterprise outage due to a serious cyber-attack. Its suggested operational structures and tasks can be modified or refined according to an organization’s size, resources, complexity and capabilities.
- April 18, 2022 – Medtech Vulnerability Communications Toolkit (MVCT): MVCT is a toolkit written to provide specific tools to medical device manufacturers and software developers for creating cybersecurity vulnerability communications related to their products or services. This toolkit focuses on vulnerability communications directed to non-security professionals, including clinicians, patients, users and other readers not familiar with cybersecurity and connected technologies. It is intended to help medical device manufacturers formulate and communicate vulnerability disclosures that all affected audiences, including nontechnical stakeholders, can understand.
- March 3, 2022 – Model Contract-Language for Medtech Cybersecurity (MC2): MC2 offers a reference for shared cooperation and coordination between Healthcare Delivery Organizations (HDOs) and Medical Device Manufacturers (MDMs) regarding the security, compliance, management, operation, services, and security of MDM-managed medical devices, solutions, and connections. It is strongly encouraged that all medical device manufacturers, health delivery organizations, and group purchasing organizations closely review this contract language and adopt as much as is appropriate for your organization. The more uniformity and predictability we can achieve in cross enterprise cybersecurity management expectations the greater strides we’ll make toward patient safety and a more secure and resilient healthcare system. The FAQ’s in this document supplement the MC2.
- April 19, 2021 – Health Industry Cybersecurity – Securing Telehealth and Telemedicine (HIC-STAT):
HIC-STAT identifies cyber risks and best practices associated with the use of telehealth and telemedicine, and summarizes the policy and regulatory underpinnings for telehealth/telemedicine cyber risk management. It is targeted for senior executives in healthcare and IT, telehealth service and product companies, and regulators. - September 22, 2020 – Health Industry Cybersecurity Supply Chain Risk Management Guide – Version 2 (HIC-SCRiM-v2):
The HIC-SCRiM is a toolkit for small to mid-sized healthcare institutions to better ensure the security of the products and services they procure through an enterprise supply chain cybersecurity risk management program. - June 6, 2020 – Health Sector Return-to-Work (R2W) Guidance:
This guidance compiles recommendations and considerations for managing a return-to-work (“R2W”) strategy for our healthcare institutions and companies approaching COVID phase-down, both domestically and internationally. - May 18, 2020 – Health Industry Cybersecurity Tactical Crisis Response Guide (HIC-TCR):
The HIC-TCR is a tactical guide to advise health providers on tactical response activities for managing the cybersecurity threats that can occur during an emergency, such as the COVID-19 Pandemic. - May 14, 2020 – Health Industry Cybersecurity Protection of Innovation Capital (HIC-PIC):
The HIC-PIC is a white paper with guidance for how healthcare organizations can protect trade secrets, medical research and other innovation capital from cyber theft. - March 11, 2020 – Health Industry Cybersecurity Information Sharing Best Practices (HIC-ISBP):
The HIC-ISBP is a best practice guide for how healthcare organizations can set up and manage cyber threat information sharing programs for their enterprise. - March 9, 2020 – Management Checklist for Teleworking Surge During COVID-19 Response:
The Teleworking Management Checklist is designed as a quick reference for healthcare enterprise management to consider important factors in a teleworking strategy that minimizes downtime and latency while supporting patient care, operational and I.T. security, and supply chain resilience. - October 15, 2019 – Updated Health Industry Cybersecurity Supply Chain Risk Management Guide (HIC-SCRiM):
The HIC-SCRiM is a toolkit for small to mid-sized healthcare institutions to better ensure the security of the products and services they procure through an enterprise supply chain cybersecurity risk management program. - October 9, 2019 – Health Industry Cybersecurity Matrix of Information Sharing Organizations (HIC-MISO):
The HIC-MISO identifies many of the cybersecurity information sharing organizations and their key services, as health organizations are beginning to understand the importance of cybersecurity information sharing and implementing information sharing systems. - June 17, 2019 – Health Industry Cybersecurity Workforce Guide:
The HIC Workforce Guide is a tool kit for recruiting and retaining skilled cybersecurity workforce in the healthcare sector. - January 2, 2019 – Health Industry Cybersecurity Practices (HICP):
The HICP is a four-volume publication that seeks to raise awareness on managing cyberthreats and safeguarding patient safety for executives, health care practitioners, providers, and health delivery organizations, such as hospitals. - January 28, 2019 – Medical Device and Health IT Joint Security Plan (JSP):
The JSP is a total product lifecycle reference guide to developing, deploying and supporting cyber secure technology solutions in the health care environment.
-
Policy Comment Letters
-
- April 20, 2023 – Health Industry Cybersecurity Recommendations for Government for Government Policy and Programs
- January 30, 2023 – H-ISAC-HSCC Comments on Warner Report
- November 17, 2022 – Health-ISAC HSCC Response to CIRCIA RFI Final
- October 03, 2022 – HSCC CWG Comments of NIST SP800
- August 04, 2022 – HSCC Comment on CISA Cross-Sector Cybersecurity Performance Goals – Common Baseline v2
- June 06, 2022 – HSCC Comment on HHS OCR RFI Implementing P.L. 166-321
- June 09, 2021 – Health Sector Cybersecurity Letter to President Biden
- December 30, 2020 – HSCC Comment on FDA Cybersecurity Vulnerability Communications Framework:
- December 17, 2020 – HSCC Letter Supporting HR 7898
- December 31, 2019 – Comments on OIG and CMS Companion Proposed Rules RFI
- June 24, 2019 – Comments on HHS ONC Information Blocking RFI
- October 26, 2018 – Comments on HHS OIG Anti-Kickback Statute RFI
- October 17, 2018 – Comments on HHS ONC EHR Reporting Program RFI
- August 24, 2018 – Comments on HHS CMS Stark Law RFI
Other Resources
-
- May 12, 2020 – 12 Tips for Safe Teleworking from HICP
- April 10, 2020 – 405(d) Cybersecurity Awareness Resource