Cybersecurity Toolkit for Healthcare and Public Health Sector

On November 1, 2023, the Cybersecurity and Infrastructure Security Agency (“CISA”) and the Department of Health and Human Services (“HHS”) co-hosted a roundtable discussion on the cybersecurity challenges that the US healthcare and public health (“HPH”) sector faces, and how government and industry can work together to close the gaps in resources and cyber capabilities. Ahead of the roundtable, CISA and HHS released a cybersecurity tool kit that includes resources tailored for the healthcare and public health sector.

According to CISA Deputy Director Nitin Natarajan, “adversaries see healthcare and public health organizations as high value yet relatively easy targets – or what [CISA calls] target rich, cyber poor. Given that healthcare organizations have a combination of personally identifiable information, financial information, health records, and countless medical devices, they are essentially a one-stop shop for [bad actors].”

According to HHS Deputy Secretary Andrea Palm, “[HHS has] seen a significant rise in the number and severity of cyber attacks against hospitals and health systems in the last few years. These attacks expose vulnerabilities in our healthcare system, degrade patient trust, and ultimately endanger patient safety. The more they happen, and the longer they last, the more expensive and dangerous they become.”

As a result of the combined efforts of CISA, HHS, and the Health Sector Coordinating Council (“HSCC”) Cybersecurity Working Group to deliver tools, resources, training, and information that can help organizations within the HPH sector, these agencies have developed and released a new Cybersecurity Toolkit for Healthcare and Public Health entities (the “Cybersecurity Toolkit”) that was unveiled at the November 1 roundtable. The new Cybersecurity Toolkit can be found online at www.CISA.gov/healthcare and consolidates/supplements the following resources:

• CISA’s Cyber Hygiene Services, which use vulnerability scanning to help secure against known vulnerabilities, reduces the risk of cyberattacks and encourages the adoption of best practices. These services are provided by CISA security experts on request.
• HHS’s Health Industry Cybersecurity Practices, which was developed with industry, outlines effective cybersecurity practices healthcare organizations of all sizes can adopt to become more cyber resilient.
• HHS and the HSCC’s HPH Sector Cybersecurity Framework Implementation Guide which helps organizations assess and improve their level of cyber resiliency and provide suggestions on how to link cybersecurity with overall information security and privacy risk management activities.

The Cybersecurity Toolkit consolidates key resources for HPH organizations at every level. Starting with the fundamental cyber hygiene steps that every organization and individual should take, the toolkit can help organizations within the HPH sector build their cybersecurity foundations and implement more advanced, complex tools to strengthen their defenses and stay ahead of current threats.

The Cybersecurity Toolkit provides the following tools at Healthcare and Public Health Sector: Know the Risks, Use Cyber Hygiene | CISA: (i) Hospital Cyber Resiliency Landscape Analysis; (ii) HPH Sector Cybersecurity Framework Implementation Guide, Version 2: (iii) Health Industry Cybersecurity Practices (“HICP”); Managing Threat and Protecting Patients; (iv) Healthcare and Public Health Sector Risk Identification and Site Criticality (“RISC”) Toolkit; (v) Security Risk Assessment (“SRA”) Tool; (vi) Cyber Hygiene Services; (vii) Known Exploited Vulnerabilities Catalog; and (viii) Secure Our World cybersecurity awareness program.

The Cybersecurity Toolkit provides the following additional tools at Healthcare and Public Health Sector: Strengthen your Defenses and Mature your Cybersecurity Efforts | CISA: (i) Healthcare Sector Council Publications; (ii) StopRansomware.gov; (iii) Cyber Resource Hub: (iv) Cybersecurity Training and Exercises: (v) Cyber Incident Response Basics; (vi) Free [non-CISA] Cybersecurity Services and Tools; (vii) Priority Telecommunications Services; and (viii) Communications Cyber Resiliency Toolkit.

And the Cybersecurity Toolkit provides guidance to address resource constraints at Healthcare and Public Health Sector: Address Resource Constraints | CISA.

Various elements of the Cybersecurity Toolkit can be useful even for organizations which have professional IT and cybersecurity staff. To discuss the Cybersecurity Toolkit and its application to your organization, please contact the authors or your usual Goodwin contact.