HHS Partners with the Private Sector to Enhance Cybersecurity across Health Systems and Address Future Vulnerabilities
Today, the U.S. Department of Health and Human Services (HHS), through the Administration for Strategic Preparedness and Response (ASPR), released a
cybersecurity implementation guide to help the public and private health care sectors prevent cybersecurity incidents. The
Cybersecurity Framework Implementation Guide provides specific steps that health care organizations can take immediately to manage cyber risks to their information technology systems.
“Cyber incidents pose risks to patient data, intellectual property, scientific or laboratory research, medical manufacturing, and ultimately the ability of health care organizations to safely serve their patients,” said HHS Deputy Secretary Andrea Palm. “The release of this guide will help health care organizations become better equipped to assess and improve their cybersecurity.”
The was jointly developed by HHS ASPR and the
Health Sector Coordinating Council (HSCC) Cybersecurity Working Group, a public-private partnership under Presidential Policy Directive 21. The National Institute for Standards and Technology (NIST) and other federal agencies contributed substantially to its content. Recent high-profile cyberattacks reinforce the need for companies and organizations to assess their cyber health and resilience and take actions to improve cybersecurity.
Cyber incidents can cause doctors to lose access to critical monitoring and record systems, patients may need to be transferred to different facilities which can delay their care, and equipment can go down forcing the use of manual processes – impacting the safety and wellbeing of patients.
“Health care cyberattacks are among the fastest growing type of cybercrime – jeopardizing patient care, damaging the integrity of health care systems, and threatening the U.S. economy,” said Assistant Secretary for Preparedness and Response Dawn O’Connell. “Health care organizations must safeguard their information technology systems to help prevent attacks and create a culture of cyber safety in the health care industry.”
Using this guide, health care organizations can assess their current cybersecurity practices and risks – identifying gaps for remediation. The guide serves as a roadmap for health care and private health sector organizations to implement the NIST Cybersecurity Framework, including:
- Guiding risk management principles and best practices
- Providing common language to address and manage cybersecurity risk
- Outlining a structure for organizations to understand and apply cybersecurity risk management
- Identifying effective standards, guidelines, and practices to manage cybersecurity risk cost-effectively based on business needs
The 2018 NIST Framework for Improving Critical Infrastructure Cybersecurity is a risk management model that has become the standard for government agencies and industry in managing cybersecurity risks. The guide released today adapts the 2018 NIST Framework for health care organizations. Using the guide released today, health care organizations, will be better equipped to implement the security framework using their existing security measures with minimal disruptions to their current operations.
“This is another great step forward in strengthening the partnership between HHS and the Health Sector Coordinating Council,” said HHS Chief Information Security Officer La Monte R. Yarborough. “This Framework Implementation Guide joins a growing list of jointly produced resources that are aligned with the NIST framework – allowing organizations of all sizes to implement cybersecurity best practices, protect their patients, and make the sector more resilient.”
About HHS and ASPR:
HHS works to enhance and protect the health and well-being of all Americans, providing for effective health and human services and fostering advances in medicine, public health, and social services. ASPR, an operating division of HHS, leads the department in preparing the nation to respond to and recover from adverse health effects of emergencies, supporting communities' ability to withstand adversity, strengthening health and response systems, and enhancing national health security.
# # #