HHS cybersecurity leaders want healthcare industry accountability, but pledge support

BOSTON – At the HIMSS Healthcare Cybersecurity Forum, Erik Decker, chief information security officer at Intermountain Health, led a discussion Thursday with cybersecurity leaders from the U.S. Department of Health and Human Services to talk about how the agency can improve accountability and competency in the field of cybersecurity.

Decker was accompanied by Commander Thomas Christl, director of HHS’s Office of Critical Infrastructure Protection in the Administration for Strategic Preparedness and Response, Nicholas Heesters, Senior Advisor for Cybersecurity for the Office of Civil Rights, and Nick Rodriguez, manager of HHS 405(d) program.

A ‘major change’ in the approach to risk management

Christl said there have been many conversations within HHS recently about how his ASPR department can approach cybersecurity in the healthcare and public health sectors more “holistically” – better and help HHS in its role as the Sector Risk Management Agency for healthcare under the Cybersecurity and Infrastructure Security Agency.

There has been a “major change in the way we approach cyber like the SRMA in ways we couldn’t have even imagined two or three years ago,” he said.

Working with CISA and private sector partners, ASPR plans to build its cyber capacity, is investing in cyber incident tracking and has Risk Identification and Location Criticality Toolkita 94-question assessment based on the NIST Cybersecurity Framework.

The tool will give HHS the ability to collect anonymous aggregate data on the state of the industry, said Christl, who noted that ASPR may also have increased staffing or resource capacity. “We are getting an investment from our senior leadership” that will allow HHS’s preparedness and response function “to do more at all levels.”

In response to a question about threat intelligence information sharing, Christl said the agency is exploring how information can be declassified and declassified through “traffic light protocols” to make it “consumable” and useful to HIT, and is also looking at adding complete intelligence . time contacts with the FBI and CISA to facilitate that.

New Source for 405(d)

Decker provided a brief background on the 405(d)-sponsored landscape analysis, which he said aligns with the Healthcare Industry Cybersecurity Practices update released at HIMSS23 in April.

That analysis of what health care organizations are doing well and where they are falling short gave HHS a roadmap while providing data for organizations to compare themselves to their peers based on size and other factors, Rodriguez said.

Rodriguez said the 405(d) program is focused on working with ASPR and integrating their data and building their support to better support the industry “to produce more documents, to produce more training – to produce more education” and to also provide direct assistance to small businesses. healthcare systems.

Linked to the recent HICP renewal, HHS also offers new knowledge-on-demand. A four-part, free education and training program is designed for end-user training, and the files are available for download for organizations that have their own learning systems, he noted.

In the near future, 405(d) will also release a publication on cyber enterprise risk management and an updated joint operations checklist for the first 12 hours after a cyber event, Rodriguez said.

How HICP can help with OCR investigations

Heesters said that for 2022, OCR has received more than 30,000 complaints about potential violations of privacy or security of health information and more than 700 breach notifications.

Decker asked Heesters how new considerations under the HITECH Act give healthcare organizations an edge in investigations if they have implemented HICP and other 405(d) guidelines.

Given that the regulations are designed to be non-prescriptive, Heesters said he believes the specific action items in HICP are helpful for organizations to think about how they can better strengthen their environments and protect ePHI. He mentioned HICP risk analysis, endpoint control, asset inventory, multi-factor authentication and other network security protocols.

Many of the items have a direct correlation to security requirements.

“So even though the security rule is not prescriptive, the requirements are to protect health information,” Heesters said.

For example, he said the section on phishing simulation exercises “aligns very well” with the requirement to provide security reminders that entities must comply with.

Andrea Fox is editor-in-chief of Healthcare IT News.
Email: afox@himss.org

Healthcare IT News is a HIMSS Media publication.