The HHS #Cyber Team

Cyber Safety is Patient Safety!

HHS works as a team to help the Healthcare and Public Health (HPH) sector prepare for and respond to cyber threats.

The National Defense Authorization Act of 2021, Section 9002, identifies HHS as the lead agency for the Healthcare and Public Health (HPH) sector all-hazards risk management function, known as the Sector Risk Management Agency (SRMA). ASPR’s Office of Critical Infrastructure Protection within the Office of Preparedness, leads HHS divisions in collaborative efforts with federal, state, local, tribal, and territorial partners, and private sector owners/operators in executing the mandated responsibilities of the SRMA, including cybersecurity-related responsibilities and provides specialized sector-specific guidance, expertise, and supporting programs.

The HHS SRMA Cybersecurity Working Group

The HHS SRMA Cybersecurity Working Group (CWG) is the primary mechanism used to coordinate HHS’s execution of its statutory responsibility as the HPH SRMA. The CWG is the body that coordinates and collaborates across the HHS cyber community to identify cyber threats to the HPH sector, coordinates across HHS divisions to prepare for and mitigate potential or identified cyber incidents, shares information, and coordinates policy recommendations and messaging to strengthen and build resiliency within the HPH sector against cyber threats.

The following diagram explains the role that each partner plays on the HHS #Cyber Team. Select each partner to learn more about the partner’s role in helping the HPH Sector prepare for and respond to cyber threats.

CWG

 

The Administration for Strategic Preparedness and Response’s (ASPR) Office of Critical Infrastructure Protection (CIP) acts as the Sector Risk Management Agency (SRMA) on behalf of HHS for the Health Care and Public Health (HPH) sector, promotes resilience in the sector to manage risk, and coordinates an effective overall federal response to health security threats, to include cyber threats.

Return

 

HC3

The Health Sector Cybersecurity Coordination Center (HC3) enriches and analyzes cyber security threat information to develop objective mitigations for and in collaboration with the health and public health sector. HC3 achieves this through directed engagements, action based alerts, and public threat briefings.

405(d)

The HHS 405(d) Program is a collaborative effort between the Health Sector Coordinating Council and the federal government to align healthcare industry security approaches by providing useful HPH-focused resources to help educate, raise awareness, and drive behavioral change.

ONS

The Office of National Security (ONS) conducts all-source intelligence analysis to inform HHS policy and drive operational planning activities. ONS executes its mission, through departmental and Intelligence Community coordination, by providing timely and relevant threat intelligence to HHS senior leaders and staff involved in executing the HPH SRMA mission.

FDA

The Food and Drug Administration (FDA) informs patients, healthcare providers and facility staff, and manufacturers about cybersecurity vulnerabilities for connected medical devices and requires that medical devices meet specific cybersecurity guidelines.

OCR

The Office for Civil Rights (OCR) administers and enforces the HIPAA Privacy, Security, and Breach Notification Rules through investigations, rulemaking, guidance, and outreach. The HIPAA Rules establish rights for individuals to their protected health information (PHI), requirements for HIPAA regulated entities on uses and disclosures of PHI, and privacy and security protections of PHI. OCR supports improved cybersecurity through cybersecurity investigations resolved with technical assistance, corrective action plans, or civil money penalties and by publishing cybersecurity resources for regulated entities and consumers through guidance, bulletins, newsletters, videos, and applications.

CMS

The Centers for Medicare & Medicaid Services (CMS) protects and controls the confidentiality, integrity, and availability of CMS information and information systems. CMS also works to promote cybersecurity and safe care in response to cyber threats across its programs, including Medicare, Medicaid, the Children’s Health Insurance Program, and the Health Insurance Marketplaces.

ONC

The Office of the National Coordinator for Health Information Technology (ONC) in the HHS Office of the Secretary, is a resource to the entire health system to support the adoption of health information technology and the promotion of nationwide, standards-based health information exchange to improve health care, including information privacy and security.

ARPA-H

The Advanced Research Projects Agency for Health (ARPA-H) launched the Digital Health Security (DIGIHEALS) project to ensure patients continue to receive care in the wake of a medical facility cyberattack.

HC3

The Health Sector Cybersecurity Coordination Center (HC3) enriches and analyzes cyber security threat information to develop objective mitigations for and in collaboration with the health and public health sector. HC3 achieves this through directed engagements, action based alerts, and public threat briefings.

405(d)

The HHS 405(d) Program is a collaborative effort between the Health Sector Coordinating Council and the federal government to align healthcare industry security approaches by providing useful HPH-focused resources to help educate, raise awareness, and drive behavioral change.

ONS

The Office of National Security (ONS) conducts all-source intelligence analysis to inform HHS policy and drive operational planning activities. ONS executes its mission, through departmental and Intelligence Community coordination, by providing timely and relevant threat intelligence to HHS senior leaders and staff involved in executing the HPH SRMA mission.

FDA

The Food and Drug Administration (FDA) informs patients, healthcare providers and facility staff, and manufacturers about cybersecurity vulnerabilities for connected medical devices and requires that medical devices meet specific cybersecurity guidelines.

OCR

The Office for Civil Rights (OCR) administers and enforces the HIPAA Privacy, Security, and Breach Notification Rules through investigations, rulemaking, guidance, and outreach. The HIPAA Rules establish rights for individuals to their protected health information (PHI), requirements for HIPAA regulated entities on uses and disclosures of PHI, and privacy and security protections of PHI. OCR supports improved cybersecurity through cybersecurity investigations resolved with technical assistance, corrective action plans, or civil money penalties and by publishing cybersecurity resources for regulated entities and consumers through guidance, bulletins, newsletters, videos, and applications.

CMS

The Centers for Medicare & Medicaid Services (CMS) protects and controls the confidentiality, integrity, and availability of CMS information and information systems. CMS also works to promote cybersecurity and safe care in response to cyber threats across its programs, including Medicare, Medicaid, the Children’s Health Insurance Program, and the Health Insurance Marketplaces.

ONC

The Office of the National Coordinator for Health Information Technology (ONC) in the HHS Office of the Secretary, is a resource to the entire health system to support the adoption of health information technology and the promotion of nationwide, standards-based health information exchange to improve health care, including information privacy and security.

ARPA-H

The Advanced Research Projects Agency for Health (ARPA-H) launched the Digital Health Security (DIGIHEALS) project to ensure patients continue to receive care in the wake of a medical facility cyberattack.

The Joint Cybersecurity Working Group

The Joint Cybersecurity Working Group is a public-private partnership with the private Health Sector Coordinating Council that provides a forum to discuss cybersecurity issues, and focuses on improving the security and resilience of HPH Sector information systems. The Working Group has multiple task groups supporting areas such as incident response and business continuity, legacy cybersecurity, vulnerability communications, supply chain cybersecurity, and incident response-business continuity.

Cyber Resources from ASPR