Cybersecurity Resources
Industry
H-ISAC is a trusted community of critical infrastructure owners and operators within the Health Care and Public Health sector (HPH). The community is primarily focused on sharing timely, actionable and relevant information with each other including intelligence on threats, incidents and vulnerabilities that can include data such as indicators of compromise, tactics, techniques and procedures (TTPs) of threat actors, advice and best practices, mitigation strategies and other valuable material. Sharing can occur via machine to machine or human to human. H-ISAC also fosters the building of relationships and networking through a number of educational events in order to facilitate trust. Working groups and committees focus on topics and activities of importance to the sector and services such as Shared Services offer enhanced services to leverage the H-ISAC community for the benefit of all.
The 405(d) program is a collaborative effort between industry and the federal government to align healthcare industry security practices in an effort to develop consensus-based guidelines, practices, and methodologies to strengthen the healthcare and public health (HPH) sector’s cybersecurity posture against cyber threats.
The HPHSCC has been established to serve as the Sector Coordinator (as defined in the 2003 Homeland Security Presidential Directive 7 and modified in the 2013 Presidential Policy Directive 21 by the Secretary of the Department of Health and Human Services (HHS) and the Department of Homeland Security (DHS).
The American Hospital Association (AHA) is the national organization that represents and serves all types of hospitals, health care networks, and their patients and communities. Nearly 5,000 hospitals, health care systems, networks, other providers of care and 43,000 individual members come together to form the AHA.
Government
Recent cyberattacks on healthcare facilities have had significant effects on every aspect of patient care and organizational continuity. They highlight the need for healthcare organizations of all sizes and types to implement cybersecurity best practices and conduct robust planning and exercising for cyber incident response and consequence management. As the number of cyberattacks on this sector increases, healthcare practitioners, facility executives, information technology professionals, and emergency managers must remain current on the ever-changing nature and type of threats to their facilities, systems, patients, and staff. These resources can help stakeholders better protect against, mitigate, respond to, and recover from cyber threats, ensuring patient safety and operational continuity.
Health Sector Cybersecurity Coordination Center (HC3) was created by the Department of Health and Human Services to aid in the protection of vital, healthcare-related controlled information and ensure that cybersecurity information sharing is coordinated across the Health and Public Health Sector (HPH).
The Office of Strategic Partnerships and Technology Innovation provides leadership for all scientific collaborative and emerging technology related activities at the Center for Devices and Radiological Health (CDRH).
As required by section 13402(e)(4) of the HITECH Act, the Secretary must post a list of breaches of unsecured protected health information affecting 500 or more individuals. The following breaches have been reported to the Secretary:
CISA Alerts & Bulletins (scroll to bottom to subscribe)
The Cybersecurity and Infrastructure Security Agency (CISA) leads the national effort to protect and enhance the resilience of the nation’s physical and cyber infrastructure. This website provides cybersecurity resources and best practices for businesses, government agencies, and other organizations.
Ransomware is a form of malware designed to encrypt files on a device, rendering any files and the systems that rely on them unusable. Malicious actors then demand ransom in exchange for decryption. StopRansomware.gov is the U.S. Government’s official one-stop location for resources to tackle ransomware more effectively.
Healthcare Landing Page on Stopransomware
Cybersecurity threats to healthcare organizations and patient safety are real. Health information technology provides critical life-saving functions and consists of connected, networked systems that leverages wireless technologies, which in turn leave such systems more vulnerable to cyber-attacks. Recent highly publicized ransomware attacks on hospitals, for example, necessitated diverting patients to other hospitals and led to an inability to access patient records to continue care delivery. Such cyber-attacks can also expose sensitive patient information and lead to substantial financial costs to regain control of hospital systems and patient data. From small, independent practitioners to large, integrated health systems, cyber-attacks on healthcare records, IT systems, and medical devices have infected even the most protected systems.
Reducing the Risk of a Successful Cyber Attack
Adversaries use known vulnerabilities and phishing attacks to compromise the security of organizations. The Cybersecurity and Infrastructure Security Agency (CISA) offers several scanning and testing services to help organizations reduce their exposure to threats by taking a proactive approach to mitigating attack vectors.
Vulnerability Scanning: Evaluates external network presence by executing continuous scans of public, static IPs for accessible services and vulnerabilities. This service provides weekly vulnerability reports and ad-hoc alerts.
Web Application Scanning: Evaluates known and discovered publicly-accessible websites for potential bugs and weak configuration to provide recommendations for mitigating web application security risks.
Tools
Healthcare System Cybersecurity Readiness Response Considerations
As part of our nation’s critical infrastructure, healthcare facilities large and small must be proactive and move quickly to protect themselves from cyberattacks that could directly impact the health and safety of patients and the community at large. According to medical health experts experienced in cybersecurity preparedness, cyberattacks are identified as the top threat in many healthcare systems’ annual Hazard Vulnerability Analyses (HVA). The federal government, with other public and private sector partners, has worked diligently to defend against the growing number of cyberattacks on the healthcare industry.
The European Union Agency for Cybersecurity, ENISA, is the Union’s agency dedicated to achieving a high common level of cybersecurity across Europe. Established in 2004 and strengthened by the EU Cybersecurity Act, the European Union Agency for Cybersecurity contributes to EU cyber policy, enhances the trustworthiness of ICT products, services and processes with cybersecurity certification schemes, cooperates with Member States and EU bodies, and helps Europe prepare for the cyber challenges of tomorrow. Through knowledge sharing, capacity building and awareness raising, the Agency works together with its key stakeholders to strengthen trust in the connected economy, to boost resilience of the Union’s infrastructure, and, ultimately, to keep Europe’s society and citizens digitally secure.
The U.S. Department of Health and Human Services (HHS) Office for Civil Rights (OCR) enforces federal civil rights laws, conscience and religious freedom laws, the Health Insurance Portability and Accountability Act (HIPAA) Privacy, Security, and Breach Notification Rules, and the Patient Safety Act and Rule, which together protect your fundamental rights of nondiscrimination, conscience, religious freedom, and health information privacy.
The purpose of this toolkit is to provide guidance and reference for organizations to implement or expand their telemedicine/telehealth programs. The toolkit is also an excellent resource for those who would like to gain a deeper understanding about telemedicine in general, the structure of a telemedicine program, and what steps are required to successfully implement and maintain a telemedicine program. This toolkit provides an overview of telemedicine, areas to consider for getting started, strong information governance (IG) practices to achieve success, and the various requirements necessary to stay compliant and deliver effective healthcare.
Cyber Security Evaluation Tool
We would like to announce CSET version 9.2. Available for download at https://github.com/cisagov/cset/wiki, starting Monday November 4th. This latest version of CSET includes a number of exciting new feature enhancements and upgrades:
• Web based diagram editor
• Enhanced reporting
• A new capability maturity model for financial sector customers
• NCUA ACET Standard
• Financial sector risk assessment wizard
• New analysis for network diagram questions
• TSA-2018 Pipeline security standard
• And the often requested ISA-62443.
This new version continues to add to an already flexible open source platform allowing for easy installation via windows installer or build from source. Save time and money on a disciplined, repeatable process without having to wade through hundreds of pages of cybersecurity standards.
Reports
Health Care Industry Cybersecurity Task Force
The health care system cannot deliver effective and safe care without deeper digital connectivity. If the health care system is connected, but insecure, this connectivity could betray patient safety, subjecting them to unnecessary risk and forcing them to pay unaffordable personal costs. Our nation must find a way to prevent our patients from being forced to choose between connectivity and security.
2016 Healthcare and Public Health Sector Specific Plan
This Healthcare and Public Health (HPH) Sector-Specific Plan (SSP) is designed to guide the Sector’s internal and collaborative, cross-sector efforts to enhance the security and resilience of HPH critical infrastructure to all-hazards across its physical, cyber, and human dimensions. The SSP tailors the strategic guidance provided in the National Infrastructure Protection Plan 2013 (NIPP 2013) to the unique operating conditions and risk landscape of the vast and complex HPH Sector.
United States Executive Order on Improving the Nation’s Cybersecurity
News Sources
HealthcareInfoSecurity is a multi-media website published by Information Security Media Group, Corp. (ISMG), a company specializing in coverage of information security, risk management, privacy and fraud. Headquartered in Princeton, New Jersey, USA, ISMG provides news, opinions, education and other related content to assist senior executives and information security professionals as they navigate the increasingly challenging world of information security.
HealthTech explores technology and healthcare issues — and shares success stories — relevant to IT leaders and managers at healthcare and senior care organizations evaluating and implementing solutions. HealthTech is published by CDW, which is headquartered in Vernon Hills, Ill.
SC Media is the essential resource for cybersecurity professionals — the flagship information brand of CyberRisk Alliance and the gateway to content from Security Weekly, CRA Business Intelligence, Infosec World, and SC Events. These resources offer an unparalleled range of foresight, learning, and collaboration — news-analysis and enterprise reporting; practitioner-led podcasts and videos; research, data, and product reviews; events, conferences, and training; and much more. Through these resources and our authoritative network of advisers, faculty, and contributors, we convene and engage the complete cyber community, to share insight with, by, and for security practitioners and leaders.