HHS releases cybersecurity implementation guide for public, private health systems

Hoping to address vulnerabilities in health systems throughout the United States, the Department of Health and Human Services (HHS) released a new cybersecurity implementation framework this week with specific steps for public and private healthcare organizations to pursue.

“Cyber incidents pose risks to patient data, intellectual property, scientific or laboratory research, medical manufacturing, and ultimately the ability of health care organizations to safely serve their patients,” HHS Deputy Secretary Andrea Palm said. “The release of this guide will help health care organizations become better equipped to assess and improve their cybersecurity.”

Jointly developed by the HHS Administration for Strategic Preparedness and Response (ASPR) and the Health Sector Coordinating Council (HSCC) Cybersecurity Working Group, the Cybersecurity Framework Implementation Guide looked at cyber risks to information technology systems and how best to address them. This, HHS noted, would keep doctors from potentially losing access to critical monitoring and record systems, delays in patient transfers, equipment issues, and many more digitally-inflicted issues that could literally affect lives.

Given this, the guide offered a roadmap for organizations to implement the National Institute for Standards and Technology (NIST) Cybersecurity Framework with risk management principles and best practices, a common language for cybersecurity risks, a structured outline for understanding and applying risk management, and a host of standards, guidelines, and practices for managing cybersecurity risks cost-effectively. In the wake of high-profile cyberattacks over recent years, federal agencies have stressed the need for reinforced cyber health and security actions.

“Health care cyberattacks are among the fastest growing type of cybercrime – jeopardizing patient care, damaging the integrity of health care systems, and threatening the U.S. economy,” Dawn O’Connell, Assistant Secretary for Preparedness and Response, said. “Health care organizations must safeguard their information technology systems to help prevent attacks and create a culture of cyber safety in the health care industry.”

The 2018 NIST Framework for Improving Critical Infrastructure Cybersecurity, utilized here, was a management model that has since become the standard for managing cybersecurity risks among government agencies and affiliated industries. Some elements are adapted on an industry-by-industry basis, as was the case for this healthcare version.