In 2015, the United States Congress passed the Cybersecurity Act of 2015 (CSA), and within this legislation is Section 405(d): Aligning Health Care Industry Security Approaches. As an approach to this requirement, in 2017 HHS convened the 405(d) Task Group leveraging the Healthcare and Public Health (HPH) Sector Critical Infrastructure Security and Resilience Public-Private Partnership. As a result, the Health Industry Cybersecurity Practices: Mitigating Threats and Protecting Patients (HICP) publication was developed and released in December 2018. The HICP publication aims to raise awareness, provide vetted cybersecurity practices, and move towards consistency in mitigating the current most pertinent cybersecurity threats to the sector. It seeks to aid healthcare and public health organizations to develop meaningful cybersecurity objectives and outcomes.
The document includes a main document, two technical volumes, and a resources templates appendix: - The main document examines cybersecurity threats and vulnerabilities that affect the healthcare industry. It explores (5) current threats and presents (10) practices to mitigate those threats. - Technical Volume 1 discusses these ten cybersecurity practices for small healthcare organizations - Technical Volume 2 discusses these ten cybersecurity practices for medium and large healthcare organizations. - Resources and Templates includes a variety or cybersecurity resources and templates for end users to reference
The five cybersecurity threats facing the healthcare industry are: 1. Email Phishing 2. Ransomware 3. Loss or Theft of Equipment or Data 4. Insider Intentional or Accidental Data Loss 5. Attacks Against Connected Medical Devices
The technical volumes discuss these 10 practices in more detail, tailored to small, medium, and large organizations: 1. Email Protection Systems 2. Endpoint Protection Systems 3. Access Management 4. Data Protection and Loss Prevention 5. Asset Management 6. Network Management 7. Vulnerability Management 8. Incident Response 9. Medical Device Security 10. Cybersecurity Policies