HHS releases new online educational platform, publication and report to aid cybersecurity in health sector

Due to the rising threat of cyberattacks against the health and public health sector, the U.S. Department of Health and Human Services (HHS) this week released three new resources under its HHS 405(d) Program to aid cybersecurity efforts.

Together with the Health Sector Coordinating Council Cybersecurity Working Group (HSCC CWG), the 405(d) program launched a platform known as Knowledge on Demand, updated Health Industry Cybersecurity Practices (HICP) for 2023, and released a report on domestic hospitals’ current cybersecurity landscape. Of particular note: the new platform is the first time HHS has given away cybersecurity training to the health sector workforce for free.

“Cyberattacks are one of the biggest threats facing our health care system today, and the best defense is prevention,” Deputy Secretary Andrea Palm said. “These trainings will serve as an asset to any sized organization looking to train staff in basic cybersecurity awareness and are offered free of charge, ensuring that those hospitals and health care organizations most vulnerable to attack can take steps toward resilience. This is part of HHS’s continued commitment to working with hospitals, Congress, and industry leaders in protecting America’s patients.”

Knowledge on Demand will offer awareness training on social engineering, ransomware, loss or theft of equipment or data, insider accidental or malicious data loss, and attacks against network-connected medical devices. Each topic includes videos, job aids, and PowerPoint presentations accessible through the 405(d) website, which likewise houses the updated cybersecurity practices for 2023.

The HICP is a publication that pushes for awareness of cybersecurity risks and, in turn, offers best practices and help for the health sector to mitigate the biggest cybersecurity threats. The first such document was published in 2018, with common sets of voluntary, consensus-based, industry-led cybersecurity guidelines, practices, methods, and more for healthcare organizations. The 2023 version was updated by more than 150 industry and federal professionals and includes a focus on social engineering attacks meant to trick people into revealing information they can use to attack systems or networks.

Separately, the Hospital Cyber Resiliency Landscape Analysis showed that 89 percent of hospitals surveyed now conduct regular vulnerability scanning on at least a quarterly basis but that advanced forms of testing remain at 20 percent or lower. Multi-factor authentication has also become commonplace, with over 90 percent of surveyed hospitals utilizing the safety precaution, but the report warned that it may not be used consistently across key systems, creating points to exploit and access hospital systems.

Overall, the data implied hospitals were moving in the right direction for security but made it clear that directly targeted ransomware attacks aimed to disrupt clinical operations remain the largest and growing threat to the sector. Further, supply chain risk remains pervasive – only 49 percent of hospitals touted adequate coverage in managing risks to supply chain management, and 50 percent or less are considering patient safety risks from third-party suppliers.