CISA and HHS Provide Cyber Toolkit for Healthcare Organizations

On October 25, 2023, the Cybersecurity and Infrastructure Security Agency (“CISA”) and the Department of Health and Human Services (“HHS”) released a cybersecurity toolkit containing resources and information that organizations in the healthcare and public health (HPH) sector can utilize to reduce their cyber risk.

Background

HPH is one of the sectors most targeted by threat actors due to the valuable data collected by organizations within this sector, such as health records, personally identifiable information, and financial information. HPH organizations also are reputedly “cyber poor” targets, (seen as having generally poor cyber hygiene). In addition, these organizations typically operate numerous connected medical devices, some of which have hardware and software vulnerabilities that threat actors can exploit to access key systems and records. The encryption of (or loss of access to) data and medical systems places extraordinary pressure on healthcare providers, as any disruption could delay lifesaving medical care.

The pandemic accelerated the healthcare industry’s adoption of digital technology for remote work, patient communications, and medical treatment. However, the expansion of this digital ecosystem has also increased the potential attack surface for healthcare organizations. The HPH sector has generally been slower to achieve robust cybersecurity due to tight budgets and difficulties in recruiting qualified cybersecurity staff.¹

High-profile cyberattacks illustrate the unique consequences of such attacks on the HPH sector. In October 2022, one of the nation’s largest healthcare systems was the victim of a ransomware attack that forced hospitals in several states to cancel medical procedures, divert ambulances to other facilities, and use paper records. The company estimated that the attack cost $160 million, including revenue losses and remediation expenses. Furthermore, the company now faces class action litigation resulting from the exposure of its patients’ health and personal information.

Recognizing the cybersecurity challenges unique to the HPH sector, CISA, HHS, and the Health Sector Coordinating Council (HSCC) Cybersecurity Working Group have collaborated to create and consolidate resources that HPH organizations can leverage to improve their cybersecurity programs, and reduce the risk of cybersecurity incidents across the sector.

The Cybersecurity Toolkit for HPH

The Cybersecurity Toolkit for HPH (the “Toolkit”)² is a comprehensive resource hub, for organizations of all sizes and levels of sophistication, which can be used to help implement more advanced measures to improve their cyber hygiene, assess vulnerabilities, and proactively respond to cybersecurity threats.

The Toolkit includes:

• Cyber Hygiene Services: CISA cybersecurity assessment resources for HPH organizations and Services Catalog, providing users information on other no-cost cybersecurity tools and services designed to help organizations manage risk and improve their cyber hygiene.
• Landscape & Threat Analysis: Resources to help users understand current cyber capabilities and preparedness of HPH organizations and the specific types of cyber threats impacting them.
• Cybersecurity Risk Assessment Tool: A risk assessment tool developed by HHS’ Office of the National Coordinator for Health Information and Office for Civil Rights to help small and medium-sized organizations identify and assess security risks within their organization.
• Cybersecurity Best Practices: Resources to help users understand and implement cybersecurity best practice recommendations and guidance identified by HHS, including email protection, endpoint protection, access management, data protection, incident response, and governance.
• Advisories and Alerts: Various advisories and listservs for HPH organizations to receive immediate threat intelligence and invitations to monthly threat briefings.
• Cybersecurity Training and Exercises: CISA training and education materials, including free tabletop exercise packages for employees in the HPH sector and the general public.

The Toolkit is not intended to cover legal requirements for healthcare security or incident reporting requirements for HPH organizations.

Takeaway

Organizations in the HPH sector now have a new resource to add to their respective cybersecurity program arsenals. The tools, services, and guidance included in the Toolkit will help HPH organizations of all levels build solid cybersecurity foundations, connect and collaborate with other organizations in the sector regarding vulnerabilities and threats, and improve their overall cyber hygiene.

¹ According to a 2023 survey of 550 Chief Information Security Officers (CISO), healthcare organizations are spending 8.1% of their IT budgets on cybersecurity. In comparison, technology firms are spending 19 percent (the highest of any industry) and financial firms are spending 13.6% of their IT budgets on cybersecurity. 2023 CISO Compensation Benchmark Report (iansresearch.com)

² Healthcare and Public Health Cybersecurity | CISA