HSCC releases five-year strategic plan for healthcare cybersecurity

The Healthcare and Public Health Sector Cybersecurity Strategic Plan is intended as an industry call to action and guidance for healthcare executives, healthcare IT leaders, and government agencies in cyber investments and the implementation of critical cybersecurity goals.

WHY IT MATTERS

Called HIC-SP, available on the HSCC Cybersecurity websitethe plan can help organizations across the healthcare ecosystem implement essential cybersecurity objectives that help address the operational, technological and governance challenges they present.

According to HSCC, high-level cybersecurity goals can be achieved through the implementation of specific measurable objectives. The primary goal in publishing HIC-SP is to improve and protect patient safety, Chris Tyberg HSCC CWG vice chairman and chief information security officer for Abbott, said in the plan announcement Tuesday.

Following the publication of HIC-SP, the HSCC CWG said it would begin developing a range of measurable outcomes and appropriate metrics to support the success of the plan. The group said it plans to release these measures by the end of 2024.

“The Health Industry Cybersecurity Strategic Plan recognizes that healthcare cybersecurity is a shared responsibility among all HPH stakeholders, including medical device manufacturers, pharmaceutical companies, healthcare organizations, healthcare plans and payers, and government policymakers,” said Erik Decker, Chairman of the HSCC CWG. and chief information security officer for Intermountain Health, in the statement.

If the plan is achieved, healthcare cybersecurity could be improved from ‘critical’ to ‘stable’ by 2029, HSCC said.

Also critical, HIC-SP must create a cyber safety net that promotes cyber equity among under-resourced healthcare organizations, workforce learning and adoption of cybersecurity, and an early incident and recovery warning system – a 911 Cyber ​​Civil Defense.

THE BIG TREND

In January, the U.S. Health and Human Services released voluntary cybersecurity performance goals for hospitals and healthcare providers to help healthcare organizations achieve layered protection.

The objectives consist of two levels and align with the HHS 405(d) program, HSCC, the NIST Cybersecurity Framework, and the Cybersecurity and Infrastructure Security Agency’s National Cybersecurity Strategy.

“We have a responsibility to help our healthcare system withstand cyber threats, adapt to the evolving threat landscape, and build a more resilient sector,” HHS Assistant Secretary Andrea Palm said when the agency announced the CPGs.

In HIC-SP, creating a future cyber-resilient healthcare state also depends on collaboration across the ecosystem to secure design and technology delivery.

“The plan also applies to third-party technology and service providers that continue to pose significant risks to the healthcare system,” Decker said in the announcement.

Where third-party vendors increase healthcare system risks, IT teams spend a lot of time performing many vendor risk management analyses. Not only do they require a tremendous amount of resources to achieve this, they also provide technology risk profiles that are only a snapshot in time, says Kathy Hughes, CISO of Northwell Health.

“It’s still a very manual and labor-intensive process,” she explained during an earlier conversation with Decker and others about how to address third-party cybersecurity.

ON THE RECORD

“We call on all healthcare stakeholders to join us in this imperative for the benefit of patients and the overall health of the sector,” Tyberg said in the HSCC CWG statement.

Andrea Fox is editor-in-chief of Healthcare IT News.
Email: afox@himss.org
Healthcare IT News is a HIMSS Media publication.