Recommended Cybersecurity Practices

    • October 17, 2023 – Reprint Medtech Vulnerability Communications Toolkit (MVCT): MVCT is a toolkit written to provide specific tools to medical device manufacturers and software developers for creating cybersecurity vulnerability communications related to their products or services. This toolkit focuses on vulnerability communications directed to non-security professionals, including clinicians, patients, users and other readers not familiar with cybersecurity and connected technologies. It is intended to help medical device manufacturers formulate and communicate vulnerability disclosures that all affected audiences, including nontechnical stakeholders, can understand.
    • July 6, 2023Coordinated Healthcare Incident Response Plan
    • Coordinated Healthcare Incident Response Plan: A preparedness and response template for disruptive cyber incidents involving health systems, hospitals and clinics. Provides guidance for maintaining clinical and business operations as the effects of a cyber attack threaten not only revenue but patient safety.
    • April 20, 2023Health Industry Cybersecurity Recommendations for Government Policy and Programs
    • As ransomware attacks increase against the health sector generally and small critical access and rural health systems specifically, the HSCC Cybersecurity Working Group offers these ideas, as alternatives or supplements to regulation, for government policies, programs, incentives and assistance to facilitate improved cybersecurity awareness and investment in the sector.
    • As a component of the four-part health sector cybersecurity initiative including the joint HHS-HSCC Hospital Cyber Resiliency Landscape Analysis, the recently updated publication of the Health Industry Cybersecurity Practices 2023 (HICP 2023), and the Health Industry Cybersecurity Recommendations for Government Policy and Programs this resource recommends to industry and government partners the HICP practices judged by the HSCC Cybersecurity Working Group to be the most relevant, and therefor prioritized, controls against the vulnerabilities identified in the Landscape Analysis that most frequently result in cyber exploitation and incidents.
    • April 17, 2023 – Health Industry Cybersecurity Practices 2023The HICP 2023 is an update to the 2019 HICP publication developed jointly by the HSCC and HHS. It provides executives, health care practitioners, providers, and health delivery organizations, such as hospitals, with best practices for managing cyberthreats to safeguard patient safety.
    • April 17, 2023 Hospital Cyber Resiliency Landscape Analysis (Health Industry and HHS 405(d) Joint Publication)
      Health delivery organizations across the United States have faced dramatic increases in cyber-attacks intended to cause disruption to the care continuum. In response to this growing threat, the HHS 405(d) Program conducted this Landscape Analysis, which identifies the vulnerabilities and threats most frequently resulting in damaging attacks against hospitals and assesses the hospitals’ known capabilities for preventing damaging cyber incidents.
    • April 5, 2023 – Cybersecurity for the Clinician Video Training Series – This 8-part video training series totaling 47 minutes explains in non-technical language what clinicians and students in the medical profession need to understand about how cyber attacks can affect clinical operations and patient safety, and how to help keep healthcare data, systems and patients safe from cyber threats.
    • April 29, 2022 – Operational Continuity Cyber Incident (OCCI)  : This Operational Continuity Cyber Incident (OCCI) checklist is intended to provide a flexible template for operational staff and executive management to respond to and recover from an extended enterprise outage due to a serious cyber-attack. Its suggested operational structures and tasks can be modified or refined according to an organization’s size, resources, complexity and capabilities.
    • March 3, 2022 – Model Contract-Language for Medtech Cybersecurity (MC2): MC2 offers a reference for shared cooperation and coordination between Healthcare Delivery Organizations (HDOs) and Medical Device Manufacturers (MDMs) regarding the security, compliance, management, operation, services, and security of MDM-managed medical devices, solutions, and connections. It is strongly encouraged that all medical device manufacturers, health delivery organizations, and group purchasing organizations closely review this contract language and adopt as much as is appropriate for your organization. The more uniformity and predictability we can achieve in cross enterprise cybersecurity management expectations the greater strides we’ll make toward patient safety and a more secure and resilient healthcare system.  The FAQ’s in this document supplement the MC2.
    • June 6, 2020 – Health Sector Return-to-Work (R2W) Guidance:
      This guidance compiles recommendations and considerations for managing a return-to-work (“R2W”) strategy for our healthcare institutions and companies approaching COVID phase-down, both domestically and internationally.
    • March 9, 2020 – Management Checklist for Teleworking Surge During COVID-19 Response:
      The Teleworking Management Checklist is designed as a quick reference for healthcare enterprise management to consider important factors in a teleworking strategy that minimizes downtime and latency while supporting patient care, operational and I.T. security, and supply chain resilience.
    • January 2, 2019 – Health Industry Cybersecurity Practices (HICP):
      The HICP is a four-volume publication that seeks to raise awareness on managing cyberthreats and safeguarding patient safety for executives, health care practitioners, providers, and health delivery organizations, such as hospitals.

Other Resources