HSCC Issues Cyber ‘Call to Action’ Plan for Health Sector
Healthcare , Industry Specific , Standards, Regulations & Compliance
5-Year Plan Details How to Raise the Bar on Health Ecosystem’s Approach to Cyber
The Health Sector Coordinating Council has issued a five-year strategic plan – “a call to action” – for healthcare and public health organizations to implement cybersecurity programs that do a better job of protecting their patients against the ever-rising tide of threats.
See Also: User Entity & Behavior Analytics 101: Strategies to Detect Unusual Security Behaviors
HSCC’s Cybersecurity Working Group, a private-public coalition that represents 425 health industry entities and government agencies, unveiled the plan on Tuesday. The group’s new Health Industry Cybersecurity Strategic Plan, or HIC-SP, addresses an assortment of cyber issues currently plaguing the sector, and presents a forward vision for battling evolving threats over the next five years.
“The move toward digital health and health-on-demand, putting more control in the hands of the patients, might be one of the most significant developments in how health providers need to tailor services, clinical workflows and reimbursement models,” Greg Garcia, executive director of HSCC’s CWG, told Information Security Media Group.
“It highlights the direct relationship between technology innovation and health delivery. With that evolution of a distributed health system, we are seeing a natural expansion of the attack surface from threats and vulnerabilities. This is what we need to solve for over the next five years,” he said.
Ransomware attacks alone hit about 141 hospitals in 2023, and the average ransom demand was $1.5 million, HSCC said. The number of major health data breaches reported to federal regulators hit an all-time annual high of nearly 740 incidents, which affected more than 136 million individuals (see: How 2023 Broke Long-Running Records for Health Data Breaches).
The HSCC strategic plan sets out “high-level cybersecurity goals” that can be achieved by implementing specific measurable objectives to upgrade the “diagnosis” of healthcare cybersecurity from its current “critical” state to a “stable condition,” HSCC said.
The 12 measurable objectives include increasing the use of cybersecurity practices and resources by public health, physician practices and smaller healthcare delivery organizations; developing cross-sector third-party risk management strategies; and implementing automation and emerging technologies, such as artificial intelligence, to drive efficiencies in cybersecurity processes.
The aim by 2029 is for healthcare sector cybersecurity to be ingrained as a public health and patient safety standard, HSCC said.
That includes a “future” state in which healthcare sector cybersecurity is reflexive from both a regulatory and practice perspective; security is embedded in the design and implementation of technology and services across the healthcare ecosystem in a shared and collaborative way; and the healthcare C-suite is accountable for cybersecurity as enterprise risk and a technology imperative.
Other key principles in the “future” state for healthcare cybersecurity call for under-resourced health organizations to get access to financial, policy and technical assistance to ensure cyber equity; continuing workforce cybersecurity learning and development; and the establishment of a “911 cyber civil defense” for early warning, incident response and recovery.
Complementary Plans
The HSCC plan complements an unfolding strategy outlined by the Biden administration in December that also aims to bolster cybersecurity in the healthcare sector, Garcia said (see: Biden Administration Issues Cyber Strategy for Health Sector).
HHS’ evolving strategy includes more than a dozen voluntary “essential” and “enhanced” cybersecurity performance goals, which range from implementing strong encryption and multifactor authentication to tackling issues such as asset inventory and third-party vulnerability incident reporting (see: HHS Details New Cyber Performance Goals for Health Sector).
HHS’ CPGs are based on industry cybersecurity frameworks, best practice and strategies, including the National Institute of Standards and Technology’s Cybersecurity Framework, as well as a previously released Health Industry Cybersecurity Practices – or HICP – playbook developed by HSCC and HHS’ 405(d) cyber advisory group.
“The CPGs, the HICP and the HIC-SP are all aligned. We worked together to be sure they are complementary,” Garcia told ISMG. “The HHS CPGs essentially say ‘what’ and the HICP and HIC-SP – and the many other leading supplementary practices that the HSCC CWG has published since 2019 – say not only ‘what’ but ‘how.'”
The HSCC strategic plan is modular in design so organizations can identify the high-level goals and implement objectives in areas that need more attention, Garcia said.
But the HSCC plan goes beyond addressing the sector’s cybersecurity challenges, he said. “It is a plan for how our enterprise and sector cybersecurity will protect patient safety, sustain clinical workflow, and preserve the resources and assets that are critical to the resilient functioning of the healthcare and public health system.”