2024 HSCC Cybersecurity Working Group

Update and amplify the HICP (Health Industry Cybersecurity Practices 2023) with supporting collateral material and timely cyber events, marketing and partnerships.  Version 2 to be published Spring 2023.  See: https://405d.hhs.gov/.

Identify the emerging risks associated with the use of AI/ML based products and services in HPH and develop recommendations for their mitigations. Develop guidelines, standards, and best practices for AI safety and security.

Update 2023 Hospital Cybersecurity Landscape Analysis which identified the vulnerabilities and threats most frequently resulting in damaging attacks against hospitals and assesses the hospitals’ known capabilities for preventing damaging cyber incidents. Version 2 of the L.A. will incorporate more data in the analysis and consider vulnerabilities and incidents faced by subsectors other than just health providers.

Develop a guide for mutual expectations among health delivery organizations and medical device manufacturers about updating and patching medical devices in the clinical environment, and associated risk, prioritization and cost.

Provide guidance to differing stakeholders (MDMs, HDO’s, clinicians, patients) on preparing, receiving and acting on medical device vulnerabilities.  First publication April 2022 on patient awareness.  Second version on HDO preparedness in process.

Develop leading practices for cybersecurity management of operational/manufacturing technology.  Initially focused on medical technology and pharmaceutical subsectors.

Identify strategies for strengthening the cybersecurity and resilience of SLTT public health agencies with the support of private sector and academic organizations.

Developing CWG brand and document formatting templates, and marketing strategy for publications and messaging.

Finalized NIST Cyber Framework Implementation guide; under review by HHS for co-branding.  New initiatives may include developing guidance for aligning enterprise controls with NIST CSF implementation tiers and possibly using the CSF to identify, measure and manage cyber risk to patient safety and privacy.

Develop methodology to identify chokepoints in the healthcare system that could impact the flow of electronic health information, payments, or medical services for core healthcare delivery and ancillary functions.  Assess clinical, administrative, and financial impacts of cybersecurity incidents against and through third party entities.  Integrate findings into third party and sector risk assessment and management plan

Organized Health Industry Cybersecurity Strategic Plan into an implementation structure, process and timeline to achieve its 10 Goals and 12 Objectives by the target of 2029.

A series of documented listening sessions with management of under-resourced providers to hear perspectives about cybersecurity, financial and operational challenges, and the providers’ needs for incentives and other assistance to meet cybersecurity obligations.