
The Cybersecurity and Infrastructure Security Agency and the Department of Health and Human Services released the Cybersecurity Toolkit for Healthcare and Public Health to help the sector manage rising digital threats. The release follows a discussion on the specific challenges the U.S. healthcare and public health sector faces and how government and industry can work together to close gaps in resources and cyber capabilities.
Because adversaries see healthcare and public health organizations as high-value, “cyber poor” targets, CISA is working with HHS and the healthcare sector to secure health organizations. CISA Deputy Director Nitin Natarajan explained that these groups are essentially a one-stop shop for an adversary due to the combination of personally identifiable information, financial information, health records, and countless medical devices they hold.
Under-resourced hospitals and health centers are a particular focus of the effort to improve defenses. HHS Deputy Secretary Andrea Palm noted that the agency has seen a significant rise in the number and severity of cyber attacks against hospitals and health systems in the last few years. The longer these incidents last, she added, the more expensive and dangerous they become.
CISA conducted pre-ransomware notifications to over 65 U.S. healthcare organizations to stop ransomware encryption and warn entities of early-stage ransomware activity. The agency also outlined its efforts to address immediate cybersecurity threats and harden systems against attack with greater accountability in its FY 2024-2026 strategic plan.
Related: Health experts raise alarm over app data risks
Consolidated Resources
The new toolkit contains remedies for healthcare organizations of all sizes. It addresses cyber hygiene, tools to build strong cybersecurity foundations, and resources to stay ahead of constantly evolving threats. HHS stated that the toolkit is designed for healthcare and public health organizations at every level of capability.
The tool kit links to the Healthcare and Public Health Sector Coordinating Council resources for managing risks, improving security, and implementing mature cybersecurity and response measures. This includes the HSCC’s Health Industry Cybersecurity Practice, which serves as the industry’s response to the Cybersecurity Act of 2015 Section 405(d)’s requirement.
Users can connect to the HPH Sector Cybersecurity Framework Implementation Guide by HHS and CISA’s vulnerability scanning services. These services evaluate external network presence by executing continuous scans of public, static IPv4s for accessible services and vulnerabilities. The site also consolidates various cybersecurity alerts applicable to the healthcare sector, information about free cybersecurity services and tools, security training, and reporting portals.
Greg Garcia, executive director of HSCC Cybersecurity Work Group, has said that improving cyber preparedness is a collective responsibility. “None of us individually is as smart as all of us collectively,” he said in December at a HIMSS Cybersecurity Forum.
Related: The Allure of Coloured Gemstones: A Shift in Preference for Lab Diamond Engagement Rings
For smaller facilities without dedicated security teams, having these resources centralized in one place offers a practical path to compliance. The toolkit effectively removes the friction of searching for individual compliance documents or security vendors, allowing overburdened administrators to quickly access the specific controls and guidance required to meet federal standards and protect patient data without needing to build a program from scratch.
Officials emphasized that lasting security requires close, persistent collaboration among government, industry, security researchers, the international community, and others. CISA must also increase the number of participating organizations and the number of cyber defense plans for high-priority risks identified under the National Cyber Incident Response Plan.
This collection of tools provides a foundation for resilience.