HHS issues new cyber incident response resources for healthcare sector
The Department of Health and Human Security has issued a raft of new cybersecurity resources for healthcare companies in response to rising cyberattacks against the sector.
In an update Monday, the agency’s Health Care Industry Cybersecurity Task Force published new guidance for addressing key cybersecurity threats as well as a digital training platform for hospitals.
The new resources come amid an increase in cyberattacks hitting healthcare organizations. In a blog post published last month, Microsoft noted that the number of DDoS attacks against its customers in the healthcare sector had risen from “10-20 attacks in November” to “40-60 attacks daily in February.”
HHS’s new guidance comes in the form of a 2023 edition of its Health Industry Cybersecurity Practices document, which has been updated with input from industry and federal cybersecurity professionals.
That document provides guidelines for hospitals’ core cybersecurity best practices and sets parameters for cybersecurity information sharing with the federal government. It was first published in 2018 by the 405(d) task group, which is a group of industry and government experts convened to establish a consensus-based set of cybersecurity guidelines for the healthcare sector.
Commenting on the new guidance, Erik Decker, vice president and chief information security officer of Intermountain Health and chair of the health sector coordinating council cybersecurity working group in Salt Lake City, Utah, said: “Staying current and responsive to evolving cyber threats is critical to protecting patient safety. HICP 2023 is the updated version that our industry needs to make sure they are applying scarce resources to the highest threat.”
“This will give the most underserved hospitals the best return on investment for cyber investment,” he said.
HHS’s 405(d) task group was established in response to the Cybersecurity Act of 2015, which sought to improve voluntary information sharing between U.S. government agencies and non-government entities prior to and during cybersecurity incidents.