Recognizing the threat to both critical infrastructure and human health and safety in the event of a cyber-attack, the Department of Health and Human Services (HHS) recently released Health Industry Cybersecurity Practices (HICP): Managing Threats and Protecting Patients, a publication nearly two years in the making.
“This publication is the result of the collaborative work HHS and its industry partners embarked on more than a year ago – namely, the development of practical, understandable, implementable, industry-led, and consensus-based voluntary cybersecurity guidelines to cost-effectively reduce cybersecurity risks for health care organizations of varying sizes, ranging from local clinics, regional hospital systems, to large health care systems,” wrote Eric Hargan, deputy secretary of HHS.
The document is the result of a collaborative partnership between industry and government, prompted by a mandate set forth by the Cybersecurity Act of 2015, Section 405(d), to develop practical cybersecurity guidelines to cost-effectively reduce cybersecurity risks for the healthcare industry, according to an HHS press release.
“The healthcare industry is truly a varied digital ecosystem. We heard loud and clear through this process that providers need actionable and practical advice, tailored to their needs, to manage modern cyber threats. That is exactly what this resource delivers; recommendations stratified by the size of the organization, written for both the clinician as well as the IT subject matter expert,” said Erik Decker, industry co-lead and chief information security and privacy officer for the University of Chicago Medicine, in the press release.
Though consensus-based and intended to help lead the industry toward best practices and procedures, the guidelines are voluntary. The processes put forth should – if implemented and followed – achieve the three core goals of reducing cybersecurity risks while supporting voluntary adoption and implementation and ensuring that the content within the guidelines remains actionable, practical, and relevant to a range of health care stakeholders.