HHS Provides New Resources and Cybersecurity Training Program to Combat Healthcare Cyber Threats

Posted By Steve Alder on Apr 18, 2023

The Department of Health and Human Services’ Cybersecurity Task Force has shared new resources to help healthcare and public health (HPH) sector organizations combat the growing number of cyberattacks targeting the sector and improve their cybersecurity posture.

The new resources include a new online educational platform that delivers free cybersecurity training that can be used by HPH organizations to raise the security awareness of the workforce, an updated edition of the Health Industry Cybersecurity Practices (HICP): Managing Threats and Protecting Patients, which details the top cyber threats faced by the HPH sector, and a report on the current state of cybersecurity preparedness of hospitals, measured against the NIST Cybersecurity Framework.

The online training platform – Knowledge on Demand – is the first free cybersecurity training platform to be offered by the HHS. The platform includes training material on the most pertinent threats to the HPH sector and, at launch, includes training on five cybersecurity topics – Social engineering, ransomware, loss/theft of computer equipment and data, accidental and malicious insider data loss, and attacks on network-connected medical devices. The platform includes videos, job aids, and PowerPoint presentations. The training materials can be used to help HPH organizations comply with the security awareness training requirements of the HIPAA Security Rule.

The updated HCIP publication has been developed to be appropriate for healthcare organizations of all sizes and includes security best practices and resources to help healthcare organizations prepare for and defend against cybersecurity threats that impact patient safety, including the same five key threats that are covered in the Knowledge on Demand training material. The 47-page document was developed by the 405(d) Task Group and was updated by more than 150 industry and federal professionals and includes the most cost-effective measures to protect against HPH sector cybersecurity threats and protect patients. Two technical volumes have also been released that detail the 10 cybersecurity practices and sub-practices that can be implemented to combat these threats, volume 1 is for small healthcare organizations, and volume 2 is for medium and large healthcare organizations.

The Hospital Cyber Resiliency Landscape Analysis was conducted by the 405(d) Program and is a review of the current state of cybersecurity at the hundreds of participating hospitals and assesses their preparedness to deal with cyber threats and their cybersecurity capabilities and level of cyber resiliency. The document explores the tactics, techniques, and procedures that cyber adversaries are currently using to compromise U.S. hospitals and disrupt operations for financial gain, and benchmarks the results against specific practices outlined in the HCIP. The document identifies best practices and opportunities to improve cyber resiliency.

The HIPAA Journal is the only HIPAA training provider that includes cybersecurity training that is specifically aimed at healthcare professionals and focussed on the use of PHI and medical records.