On Oct. 25, 2023, in light of a “significant rise in the number and severity of cyber-attacks against hospitals and health systems in the last few years,” the U.S. Department of Homeland Security Cybersecurity and Infrastructure Security Agency (CISA) and the U.S. Department of Health and Human Services (HHS) collaboratively released a cybersecurity toolkit.
The toolkit is intended to help healthcare and public health organizations design and improve their cybersecurity infrastructure. The toolkit combines existing resources such as CISA’s Cyber Hygiene Services, HHS’ Health Industry Cybersecurity Practices, and the Healthcare and Public Health Sector Cybersecurity Framework Implementation Guide, as well as newer resources to help healthcare organizations of all types and sizes to identify, resolve and prevent vulnerabilities. According to CISA and HHS representatives, healthcare entities are prime targets for cyberattacks because they are high value but easy targets — in other words, “target rich, cyber poor.”
The Cybersecurity Toolkit
The toolkit offers convenient and interactive resources, such as a cyber-incident reporting portal, industry best practices and resources on training and exercises, how to address ransomware events, and additional resources on private and public sector partnership opportunities, advisories and alerts, and access to a public feed for real-time sharing of cyber-threat intelligence. The toolkit focuses on proper cyber hygiene, security risk assessments, incident response and providing access to additional funding and resources, such as information on the State and Local Cybersecurity Grant Program.
HHS and CISA are not alone in their emphasis on cybersecurity. The U.S. Food and Drug Administration recently released numerous medical device cybersecurity resources and guidance, including the launch of a digital health technology advisory committee. The Federal Trade Commission has been active in enforcing its Health Breach Notification Rule against entities who are healthcare-adjacent, and has proposed changes to strengthen the Health Breach Notification Rule. (For details and background, see McGuireWoods’ Aug. 3, 2023, alert.) Healthcare and healthcare-adjacent entities now have a wealth of tools to assist with enhancing their cybersecurity.