2020 State HIT Connect has ended
Back To Schedule
Monday, December 7 • 1:00pm - 2:30pm
Track 4 (Pre-Event Workshop): HHS Cybersecurity Panel: Manage Threats and Protect your Citizens

Sign up or log in to save this to your schedule, view media, leave feedback and see who's attending!

Feedback form is now closed.
In 2015, the United States Congress passed the Cybersecurity Act of 2015 (CSA), and within this legislation is Section 405(d): Aligning Health Care Industry Security Approaches. As an approach to this requirement, in 2017 HHS convened the 405(d) Task Group leveraging the Healthcare and Public Health (HPH) Sector Critical Infrastructure Security and Resilience Public-Private Partnership. As a result, the Health Industry Cybersecurity Practices: Mitigating Threats and Protecting Patients (HICP) publication was developed and released in December 2018. The HICP publication aims to raise awareness, provide vetted cybersecurity practices, and move towards consistency in mitigating the current most pertinent cybersecurity threats to the sector. It seeks to aid healthcare and public health organizations to develop meaningful cybersecurity objectives and outcomes.

The document includes a main document, two technical volumes, and a resources templates appendix:
- The main document examines cybersecurity threats and vulnerabilities that affect the healthcare industry. It explores (5) current threats and presents (10) practices to mitigate those threats.
- Technical Volume 1 discusses these ten cybersecurity practices for small healthcare organizations
- Technical Volume 2 discusses these ten cybersecurity practices for medium and large healthcare organizations.
- Resources and Templates includes a variety or cybersecurity resources and templates for end users to reference

The five cybersecurity threats facing the healthcare industry are:
1. Email Phishing
2. Ransomware
3. Loss or Theft of Equipment or Data
4. Insider Intentional or Accidental Data Loss
5. Attacks Against Connected Medical Devices

The technical volumes discuss these 10 practices in more detail, tailored to small, medium, and large organizations:
1. Email Protection Systems
2. Endpoint Protection Systems
3. Access Management
4. Data Protection and Loss Prevention
5. Asset Management
6. Network Management
7. Vulnerability Management
8. Incident Response
9. Medical Device Security
10. Cybersecurity Policies


Julie Anne Chua

Risk Management Branch Chief, U.S. Department of Health and Human Services

Pyreddy Reddy

Chief Information Security Officer, North Carolina DHHS

Monday December 7, 2020 1:00pm - 2:30pm PST