The United States Department of Health and Human Services (HHS), working in coordination with industry leaders, has stepped up efforts to play a central role in helping health care organizations defend against cybersecurity threats.
On April 17, 2023, the U.S. Department of Health and Human Services 405(d) Program announced the release of a set of resources aimed at helping address cybersecurity concerns in the Health Care and Public Health (HPH) Sector. The Knowledge on Demand platform makes free cybersecurity trainings available to health sector workforce members on five important topics: social engineering, ransomware, loss or theft of equipment or data, insider accidental or malicious data loss and attacks against network connected medical devices. Importantly, Health Industry Cybersecurity Practices 2023 (HICP) was published, aiming to raise awareness of risks, provide best practices and help the HPH Sector set standards for mitigating key threats. Lastly, the Hospital Cyber Resiliency Landscape Analysis provides a cogent report on U.S. hospitals’ current state of cybersecurity preparedness. All of these resources are available on the HHS 405(d) website at 405d.hhs.gov.
On April 6, 2023, the Office of Information Security and Health Sector Cybersecurity Coordination Center (HC3) hosted a briefing, Electronic Medical Records Still a Top Target for Cyber Threat Actors. HHS warned health care organizations of the cybersecurity threat posed to electronic medical records and electronic health records.
Notably, in March 2023, HHS’ Administration for Strategic Preparedness and Response (ASPR) released a new roadmap to assist health care organizations with responding to cyber threats. This new guide—the Health Care and Public Health Sector Cybersecurity Framework Implementation Guide Version 2—is the product of a public-private partnership designed to improve cyber risk management in an era of rising cyberattacks in the health care space.
The guide contains a series of voluntary best practices for helping health care organizations address cybersecurity risks. These best practices address risk identification and management, access control and supply chain monitoring, along with corporate board management of cyber risk management programs. The foreword to the guide called out five key issues the National Association of Corporate Directors (NACD) Director’s Handbook on Cyber-Risk Oversight highlights for corporate boards to consider as they oversee cybersecurity and cyber risk management programs, including approaching cybersecurity as an enterprise-wide risk management issue instead of merely an Information Technlogy (IT) issue.
The guide is intended to help public and private health care organizations align their information security programs with the Cybersecurity Framework developed by the National Institute of Standards and Technology (NIST). NIST is in the process of updating the Cybersecurity Framework and released a Discussion Draft of the NIST CSF 2.0 Core on April 23, 2023. Separately, NIST proposed a new framework for artificial intelligence (AI) earlier this year (see here for more details on this AI framework).
Please contact a member of Akin’s cybersecurity, privacy and data protection team if you need legal advice in connection with health care cybersecurity risk management and how you might better protect your organization.