Recommended Cybersecurity Practices

 

    • April 29, 2022 – Operational Continuity Cyber Incident (OCCI)  : This Operational Continuity Cyber Incident (OCCI) checklist is intended to provide a flexible template for operational staff and executive management to respond to and recover from an extended enterprise outage due to a serious cyber-attack. Its suggested operational structures and tasks can be modified or refined according to an organization’s size, resources, complexity and capabilities.
    • April 18, 2022 – Medtech Vulnerability Communications Toolkit (MVCT): MVCT is a toolkit written to provide specific tools to medical device manufacturers and software developers for creating cybersecurity vulnerability communications related to their products or services. This toolkit focuses on vulnerability communications directed to non-security professionals, including clinicians, patients, users and other readers not familiar with cybersecurity and connected technologies. It is intended to help medical device manufacturers formulate and communicate vulnerability disclosures that all affected audiences, including nontechnical stakeholders, can understand.
    • March 3, 2022 – Model Contract-Language for Medtech Cybersecurity (MC2): MC2 offers a reference for shared cooperation and coordination between Healthcare Delivery Organizations (HDOs) and Medical Device Manufacturers (MDMs) regarding the security, compliance, management, operation, services, and security of MDM-managed medical devices, solutions, and connections. It is strongly encouraged that all medical device manufacturers, health delivery organizations, and group purchasing organizations closely review this contract language and adopt as much as is appropriate for your organization. The more uniformity and predictability we can achieve in cross enterprise cybersecurity management expectations the greater strides we’ll make toward patient safety and a more secure and resilient healthcare system.  The FAQ’s in this document supplement the MC2.
    • April 19, 2021 – Health Industry Cybersecurity – Securing Telehealth and Telemedicine (HIC-STAT):
      HIC-STAT identifies cyber risks and best practices associated with the use of telehealth and telemedicine, and summarizes the policy and regulatory underpinnings for telehealth/telemedicine cyber risk management. It is targeted for senior executives in healthcare and IT, telehealth service and product companies, and regulators.
    • September 22, 2020 – Health Industry Cybersecurity Supply Chain Risk Management Guide – Version 2 (HIC-SCRiM-v2):
      The HIC-SCRiM is a toolkit for small to mid-sized healthcare institutions to better ensure the security of the products and services they procure through an enterprise supply chain cybersecurity risk management program.
    • June 6, 2020 – Health Sector Return-to-Work (R2W) Guidance:
      This guidance compiles recommendations and considerations for managing a return-to-work (“R2W”) strategy for our healthcare institutions and companies approaching COVID phase-down, both domestically and internationally.
    • May 18, 2020 – Health Industry Cybersecurity Tactical Crisis Response Guide (HIC-TCR):
      The HIC-TCR is a tactical guide to advise health providers on tactical response activities for managing the cybersecurity threats that can occur during an emergency, such as the COVID-19 Pandemic.
    • May 14, 2020 – Health Industry Cybersecurity Protection of Innovation Capital (HIC-PIC):
      The HIC-PIC is a white paper with guidance for how healthcare organizations can protect trade secrets, medical research and other innovation capital from cyber theft.
    • March 11, 2020 – Health Industry Cybersecurity Information Sharing Best Practices (HIC-ISBP):
      The HIC-ISBP is a best practice guide for how healthcare organizations can set up and manage cyber threat information sharing programs for their enterprise.
    • March 9, 2020 – Management Checklist for Teleworking Surge During COVID-19 Response:
      The Teleworking Management Checklist is designed as a quick reference for healthcare enterprise management to consider important factors in a teleworking strategy that minimizes downtime and latency while supporting patient care, operational and I.T. security, and supply chain resilience.
    • October 15, 2019 – Updated Health Industry Cybersecurity Supply Chain Risk Management Guide (HIC-SCRiM):
      The HIC-SCRiM is a toolkit for small to mid-sized healthcare institutions to better ensure the security of the products and services they procure through an enterprise supply chain cybersecurity risk management program.
    • October 9, 2019 – Health Industry Cybersecurity Matrix of Information Sharing Organizations (HIC-MISO):
      The HIC-MISO identifies many of the cybersecurity information sharing organizations and their key services, as health organizations are beginning to understand the importance of cybersecurity information sharing and implementing information sharing systems.
    • June 17, 2019 – Health Industry Cybersecurity Workforce Guide:
      The HIC Workforce Guide is a tool kit for recruiting and retaining skilled cybersecurity workforce in the healthcare sector.
    • January 2, 2019 – Health Industry Cybersecurity Practices (HICP):
      The HICP is a four-volume publication that seeks to raise awareness on managing cyberthreats and safeguarding patient safety for executives, health care practitioners, providers, and health delivery organizations, such as hospitals.
    • January 28, 2019 – Medical Device and Health IT Joint Security Plan (JSP):
      The JSP is a total product lifecycle reference guide to developing, deploying and supporting cyber secure technology solutions in the health care environment.

    Policy Comment Letters

     

      Other Resources