The U.S. Department of Health and Human Services and the Health Sector Coordinating Council’s Cybersecurity Working Group released new guidance Wednesday to help the public and private sectors in the healthcare sector. better align their information security programs with the National Institute of Standards and Technology’s Cybersecurity Framework.
WHY IT IMPORTANT
Helping the public and private health sectors prevent cybersecurity incidents has become a matter of national concern to protect critical infrastructure.
In that spirit, NIST and other federal agencies have significantly contributed to the content of the Guidelines for the implementation of the new Cybersecurity Framework, according to the HSCC announcement.
This guide complements a previous joint publication of the HHS/HSCC 405(d) Program, Cybersecurity Practices in the Healthcare Industry, Erik Decker, HSCC Cybersecurity Working Group Chair and chief security officer information at Intermountain Healthcare, said in the board statement.
“With this toolkit, organizations of all sizes can deploy cybersecurity best practices, protect their patients, and make the field more resilient,” says Decker. .
According to John Riggi, national adviser for cybersecurity and risk at the American Hospital Association, the new guidance is timely, after the White House released a National Cybersecurity Strategy calling for a more conservative approach. collaboration between government and the private sector to help protect critical infrastructure.
“Following the framework can be used to demonstrate the implementation of recognized cybersecurity measures to qualify for legal aid to cyberattack victims under Public Law 116-321 ,” noted Riggi in a statement about the new cybersecurity framework guidelines posted on the AHA website.
Robert Booker, chief strategy officer at HITRUST, echoed the timeliness and value of guidance regarding the provision of cybersecurity program authentication in an email to Healthcare IT News Yesterday.
“Entities regulated by the healthcare industry, like all critical infrastructure industries, can anticipate requests from regulators to further demonstrate security,” said Booker. mature network”.
“The use of this implementation guide and the NIST Cybersecurity Framework can serve as the basis for evaluating and demonstrating the presence of enterprise-wide controls and evidence of control maturity.” active and consistent control as the NIST Cybersecurity Framework is recognized as an Accredited Privacy Practice, along with Cybersecurity Practices in the Healthcare Industry, as directed by the HHS Office of Civil Rights to meet the the HITECH law in 2021,” he said.
Bryan Cline, research director at HITRUST and co-chair of the HSCC Cybersecurity Working Group’s Risk Assessment Working Group, added that the updates in the new implementation guidance support risk analysis based on control framework, which allows organizations to use references such as NIST SP 800 -53 and HITRUST CSF “to greatly simplify the requirements of HIPAA risk analysis.”
“Continued and sustained leadership in the private and public sectors on this important work is critically important to healthcare organizations looking to manage cyber risk, identify the improve and leverage the key risk analysis principles to the HIPAA Security Code together with the NIST Cybersecurity Framework,” he said.
TREND TO BIGGER
HICP, in compliance with the Cybersecurity Act of 2015 and in line with the NIST framework, has served as a “cookbook” for cyber preparation with ready-made recipes and is expected to grow. along with newer legislation affecting the 405(d) program.
“It gets you into the details pretty quickly and succinctly, to get tactical as well as make some tackles and tackles,” says Decker. Healthcare IT News in 2019.
Although HICP and its supplemental documents are the cornerstone publication of the 405(d), in the opening of the new implementation guidance, HHS’s Strategic Preparedness & Response Administration cites the “lack of attention to regulatory compliance increases the risk of care delivery, in addition to fines and other penalties.”
“Many healthcare organizations, if not most, are having a hard time managing cybersecurity effectively. [OCR] HIPAA’s Audit Industry Report found that 86% of insured entities and 83% of business partners (85% overall) failed to meet risk assessment expectations,” said ASPR.
“For risk management, 94% CE and 88% BA (91% overall) failed to meet expectations.”
In December, Greg Garcia, chief executive officer of HSCC, told HIMSS Healthcare Cybersecurity Forum attendees that it is our responsibility to protect healthcare as critical infrastructure collective responsibility and note that the 700+ members of the council have created a number of free resources to protect against industry-wide issues like cyberattacks.
“These things need to be done. They are not items on a shelf,” he said.
ON PROFILE
“As cybercriminals continue to target health systems to steal or ransom sensitive US patients’ medical data and jeopardize the day-to-day operations of service providers, take care of health, I’m happy to see [HHS] issued new voluntary guidance to strengthen healthcare cybersecurity,” Sen. Mark Warner, D-Virginia, said in a statement.
“I welcome [HSCC] Cybersecurity working group to work to transform cyber activities into relevant standards for healthcare providers. I look forward to continuing to work with cyber experts, health stakeholders, and officials in the Biden Administration to determine what voluntary measures we need to begin taking to ensure our safety. for all patients.”
Andrea Fox is the senior editor of Healthcare IT News.
Email: [email protected]
Healthcare IT News is a publication of HIMSS Media.
