HHS voluntary healthcare cybersecurity practices
The Department of Health and Human Services has released voluntary cybersecurity practices to the healthcare industry to move organizations “towards consistency” in mitigating cyber threats.
According to HHS, the four-volume publication guides “cost-effective methods that a range of healthcare organizations at every size and resource level can use to reduce cybersecurity risks.” It is meant to raise awareness of cyber threats and provide vetted practices.
“Cybersecurity is everyone’s responsibility—it is the responsibility of every organization working in healthcare and public health,” says HHS Acting Chief Information Security Officer Janet Vogel. “In all of our efforts, we must recognize and leverage the value of partnerships among government and industry stakeholders to tackle the shared problems collaboratively.”
HHS Headquarters in Washington, D.C.
Mandated by the Cybersecurity Act of 2015, HHS convened more than 150 cyber and healthcare experts from government and industry to develop the recommended practices as part of the Healthcare and Public Health Sector Critical Infrastructure Security and Resilience Public-Private Partnership.
“The healthcare industry is truly a varied digital ecosystem—we heard loud and clear through this process that providers need actionable and practical advice, tailored to their needs, to manage modern cyber threats,” says Erik Decker, industry co-lead and chief information security and privacy officer at the University of Chicago Medicine. “That is exactly what this resource delivers; recommendations stratified by the organization's size, written for both the clinician and the IT subject matter expert.”
In addition to the main document, which lays out the five most relevant and current threats to the industry, the publication also recommends ten cybersecurity practices to help mitigate these threats. It also includes two technical volumes geared for IT and security professionals: Technical Volume 1 focuses on cybersecurity practices for small healthcare organizations. In contrast, Technical Volume 2 focuses on techniques for medium and large healthcare organizations.