2023 HSCC Cybersecurity Working Group

The following Task Groups constitute the

HSCC Cybersecurity Working Group’s 2023 work plan.

  • 405(d) – HEALTH INDUSTRY CYBERSECURITY PRACTICES – (Joint HHS-SCC publication)

Update and amplify the HICP (Health Industry Cybersecurity Practices 2023) with  supporting collateral material and timely cyber events, marketing and partnerships.  Version 2 to be published Spring 2023.  See: https://405d.hhs.gov/

  • 5-YEAR STRATEGIC PLAN

Develop industry-wide 5-yrear strategic plan and success measures for healthcare cybersecurity and HSCC tactical programs and initiatives to facilitate achievement of industry objectives

  • INCIDENT RESPONSE AND BUSINESS CONTINUITY

Develop a healthcare cyber incident response and business continuity plan aligned with existing physical incident response protocols.

  • MEASUREMENT

Developing methodology and inventory for relevant cyber measures; serving as clearinghouse for measurement efforts of other task groups

  • MEDICAL TECHNOLOGY CYBERSECURITY (Joint Security Plan v2 – “JSP2”)

Review and update 2019 Medical Device and Health IT Joint Security Plan to reflect developments in medical device security and to integrate subsequent work products on legacy device security, model cybersecurity contract language for medical technology, and vulnerability communications standardization

  • MEDICAL TECHNOLOGY LEGACY DEVICES

Finalizing work on guidance on shared responsibility for managing cybersecurity of installed medical devices reaching end of support / end of life

  • MEDICAL TECHNOLOGY MODEL CONTRACTS

Published March 2022; Monitoring implementation feedback for eventual v2

  • MEDICAL TECHNOLOGY VULNERABILITY COMMUNICATIONS –

Provide guidance to differing stakeholders (MDMs, HDO’s, clinicians, patients) on preparing, receiving and acting on medical device vulnerabilities.  First publication April 2022 on patient awareness.  Second version on HDO preparedness in process.

  • OUTREACH and AWARENESS

Developing CWG brand and document formatting templates, and marketing strategy for publications and messaging

  • POLICY

Activates as needed for policy proposals and response

  • PRIVACY-SECURITY COLLABORATION

Facilitate the interdependence of security and privacy risk to confidentiality, integrity, and availability of entity systems, data, etc., in patient safety and care.

  • PUBLIC HEALTH CYBERSECURITY

Identify strategies for strengthening the cybersecurity and resilience of SLTT public health agencies with the support of private sector and academic organizations.

  • RISK ASSESSMENT – (Joint HHS-SCC publication)

Finalized NIST Cyber Framework Implementation guide; under review by HHS for co-branding.  New initiatives may include developing guidance for aligning enterprise controls with NIST CSF implementation tiers and possibly using the CSF to identify, measure and manage cyber risk to patient safety and privacy.

  • SUPPLY CHAIN

Results of survey on critical supplier risk management will inform subsequent development of related best practices.

  • WORKFORCE DEVELOPMENT

Preparing series of cybersecurity training videos for clinicians and healthcare students on specific aspects of cybersecurity.  Release mid-2023