Healthcare , Industry Specific , Standards, Regulations & Compliance

HSCC Issues Cyber 'Call to Action' Plan for Health Sector

5-Year Plan Details How to Raise the Bar on Health Ecosystem's Approach to Cyber
HSCC Issues Cyber 'Call to Action' Plan for Health Sector
Healthcare entities are facing a rising tide of cyberthreats. A new five-year plan from the Health Sector Coordinating Council aims to help them better navigate these challenges. (Image: Getty)

The Health Sector Coordinating Council has issued a five-year strategic plan - "a call to action" - for healthcare and public health organizations to implement cybersecurity programs that do a better job of protecting their patients against the ever-rising tide of threats.

See Also: Using the Netskope HIPAA Mapping Guide

HSCC's Cybersecurity Working Group, a private-public coalition that represents 425 health industry entities and government agencies, unveiled the plan on Tuesday. The group's new Health Industry Cybersecurity Strategic Plan, or HIC-SP, addresses an assortment of cyber issues currently plaguing the sector, and presents a forward vision for battling evolving threats over the next five years.

"The move toward digital health and health-on-demand, putting more control in the hands of the patients, might be one of the most significant developments in how health providers need to tailor services, clinical workflows and reimbursement models," Greg Garcia, executive director of HSCC's CWG, told Information Security Media Group.

"It highlights the direct relationship between technology innovation and health delivery. With that evolution of a distributed health system, we are seeing a natural expansion of the attack surface from threats and vulnerabilities. This is what we need to solve for over the next five years," he said.

Ransomware attacks alone hit about 141 hospitals in 2023, and the average ransom demand was $1.5 million, HSCC said. The number of major health data breaches reported to federal regulators hit an all-time annual high of nearly 740 incidents, which affected more than 136 million individuals (see: How 2023 Broke Long-Running Records for Health Data Breaches).

The HSCC strategic plan sets out "high-level cybersecurity goals" that can be achieved by implementing specific measurable objectives to upgrade the "diagnosis" of healthcare cybersecurity from its current "critical" state to a "stable condition," HSCC said.

The 12 measurable objectives include increasing the use of cybersecurity practices and resources by public health, physician practices and smaller healthcare delivery organizations; developing cross-sector third-party risk management strategies; and implementing automation and emerging technologies, such as artificial intelligence, to drive efficiencies in cybersecurity processes.

The aim by 2029 is for healthcare sector cybersecurity to be ingrained as a public health and patient safety standard, HSCC said.

That includes a "future" state in which healthcare sector cybersecurity is reflexive from both a regulatory and practice perspective; security is embedded in the design and implementation of technology and services across the healthcare ecosystem in a shared and collaborative way; and the healthcare C-suite is accountable for cybersecurity as enterprise risk and a technology imperative.

Other key principles in the "future" state for healthcare cybersecurity call for under-resourced health organizations to get access to financial, policy and technical assistance to ensure cyber equity; continuing workforce cybersecurity learning and development; and the establishment of a "911 cyber civil defense" for early warning, incident response and recovery.

Complementary Plans

The HSCC plan complements an unfolding strategy outlined by the Biden administration in December that also aims to bolster cybersecurity in the healthcare sector, Garcia said (see: Biden Administration Issues Cyber Strategy for Health Sector).

HHS' evolving strategy includes more than a dozen voluntary "essential" and "enhanced" cybersecurity performance goals, which range from implementing strong encryption and multifactor authentication to tackling issues such as asset inventory and third-party vulnerability incident reporting (see: HHS Details New Cyber Performance Goals for Health Sector).

HHS' CPGs are based on industry cybersecurity frameworks, best practice and strategies, including the National Institute of Standards and Technology's Cybersecurity Framework, as well as a previously released Health Industry Cybersecurity Practices - or HICP - playbook developed by HSCC and HHS' 405(d) cyber advisory group.

"The CPGs, the HICP and the HIC-SP are all aligned. We worked together to be sure they are complementary," Garcia told ISMG. "The HHS CPGs essentially say 'what' and the HICP and HIC-SP - and the many other leading supplementary practices that the HSCC CWG has published since 2019 - say not only 'what' but 'how.'"

The HSCC strategic plan is modular in design so organizations can identify the high-level goals and implement objectives in areas that need more attention, Garcia said.

But the HSCC plan goes beyond addressing the sector's cybersecurity challenges, he said. "It is a plan for how our enterprise and sector cybersecurity will protect patient safety, sustain clinical workflow, and preserve the resources and assets that are critical to the resilient functioning of the healthcare and public health system."


About the Author

Marianne Kolbasuk McGee

Marianne Kolbasuk McGee

Executive Editor, HealthcareInfoSecurity, ISMG

McGee is executive editor of Information Security Media Group's HealthcareInfoSecurity.com media site. She has about 30 years of IT journalism experience, with a focus on healthcare information technology issues for more than 15 years. Before joining ISMG in 2012, she was a reporter at InformationWeek magazine and news site and played a lead role in the launch of InformationWeek's healthcare IT media site.




Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing inforisktoday.in, you agree to our use of cookies.