HHS Launches Repository for Health Sector Cybersecurity HelpNew HHS 405(d) Program Website Offers Best Practices, Other Cybersecurity Resources
The Department of Health and Human Services has launched a new cybersecurity resource website aimed at helping healthcare and public sector entities of all sizes and types to better deal with the ever-evolving cyberthreat landscape.
The new HHS 405(d) Aligning Health Care Industry Security Approaches Program website was co-developed by HHS with its 405(d) Task Group.
The HHS 405(d) program and its cybersecurity advisory group were established under section 405(d) of the Cybersecurity Act of 2015.
The group includes more than 150 experts from the healthcare industry and federal government. Its work includes assisting HHS to better align industry security practices and develop consensus-based guidelines, processes and methodologies to strengthen the healthcare and public health sector’s posture against cyberthreats, HHS says in a Dec.1 statement about the new website.
The new website provides a single repository for healthcare and public health sector entities to access an array of resources, best practice documents, videos, newsletters and other tools aimed at raising awareness, driving behavioral change and moving toward consistency in mitigating the cybersecurity threats most relevant to the sector, HHS says.
“The new 405(d) Program website is a step forward for HHS to help build cybersecurity resiliency across the healthcare and public health sector," said Christopher Bollerer, HHS acting CISO, in the statement.
"Absolutely all sizes of organizations can use this [website]," says Erik Decker, CISO of Intermountain Health and industry co-lead of the HHS 405(d) Task Group.
"If you’re a small practice, we have built out lots of content just for you. If you’re a large organization, we have built out comprehensive cybersecurity practices and tools to help you."
"The website contains not only health industry cybersecurity practices, but also many tools," Decker says. For example, the Task Group produced a threat subpractice matrix for small, medium, and large-sized organizations, he says.
"This matrix allows organizations to select the threats they are most concerned with and easily guide them to the subpractices of health industry cybersecurity practice that directly mitigate those threats," he says.
The HHS 405(d) Program and its Task Group work are part of the healthcare industry's overall efforts to collaboratively improve the nation’s cyber readiness and response, says former healthcare CIO David Finn, a member of the HHS Cybersecurity Task Force and a vice president of the College of Healthcare Information Management Executives and its Association for Executives in Healthcare Information Management, a healthcare CISO professional organization.
"That collaborative effort between industry and the federal government aims to raise awareness, provide vetted cybersecurity practices, and move organizations towards consistency in mitigating the current, most pertinent cybersecurity threats to the sector," he says.
The new website plays an important role in the effort, he says. "As a work product is developed, it only makes sense to make it as accessible as possible to the sector - easy to find, sort through and use," Finn says.
The website and its content, "most importantly, is not framed up in technical jargon and 'cyberspeak' but is designed to be understood by anyone working in healthcare," Finn says.
"CISOs, CIOs and their respective teams may find many of these tailored resources helpful to them in explaining cyber risk, operational and enterprise risk to non-IT, nonsecurity professionals, or they can use it as part of their overall awareness and training program for their organization," he says.
'Haves and Have-Nots'
Among its previous work, the HHS Cybersecurity Task Force issued a Healthcare Industry Cybersecurity Report for Congress in 2017 containing more than 100 recommendations for how healthcare can better address cybersecurity threats. Like the creation of the task force, that report was called for under the Cybersecurity Act of 2015 (see: Analysis: Are HHS' Cybersecurity Recommendations Achievable?).
A top goal for HHS and its Cybersecurity Task Force is to improve the overall security posture of the healthcare and public health sectors, Finn says.
"It was clear from the beginning, starting with the Cybersecurity Task Force report, that in terms of security, healthcare operated in a world of 'haves' and 'have-nots,'" he says.
"Many organizations had resources, staff and were making investments in security but more organizations, for a variety of reasons, were not making cybersecurity a priority." Finn says large organizations, including larger commercial providers and academic medical systems, tend to do a better job at security, while small, rural hospitals, private physician practices and safety-net providers often lag, he says.
Healthcare is one of the most "hyper-connected" sectors of the 16 critical infrastructure sectors in the U.S., according to Finn. "Any one healthcare organization can only be as secure as their weakest link - physician practices share with hospitals, payers share with all types of providers, small rural hospitals share with large academic medical centers and on and on.
"It is important that we raise the level of security for everyone or any one of us can be the next victim of a cyberattack."