HHS cybersecurity leaders want healthcare industry accountability, but pledge support
BOSTON – At the HIMSS Healthcare Cybersecurity Forum on Thursday, Erik Decker, chief information security officer at Intermountain Health, led a discussion with cybersecurity leaders from the U.S. Department of Health and Human Services to talk about how the agency is driving accountability and competency in cybersecurity.
Decker was joined by Commander Thomas Christl, Director of the HHS’s Office of Critical Infrastructure Protection in the Administration for Strategic Preparedness and Response, Nicholas Heesters, Senior Advisor for Cybersecurity for the Office of Civil Rights and Nick Rodriguez, manager of the HHS 405(d) program.
A ‘sea change’ in approach to risk management
Christl said there have been a lot of conversations recently within HHS about how his ASPR department can approach healthcare and public health sector cybersecurity more “holistically” – better and help HHS in its role as the Sector Risk Management Agency for healthcare under the Cybersecurity and Infrastructure Security Agency.
There’s been a “sea change in how we’re approaching cyber as the SRMA in ways that we couldn’t even have imagined two or three years ago,” he said.
Working with CISA and private sector partners, ASPR has plans to build its cyber capacity, is investing in cyber incident tracking and has released the Risk Identification and Site Criticality toolkit, a 94-question assessment built off the NIST Cybersecurity Framework.
The tool will give HHS the ability to do anonymous aggregate data on the state of the sector, said Christl, who noted that ASPR may also have more staffing or resource capacity, too. “We’re getting an investment from our senior leadership,” which will allow HHS’s preparedness and response function “to do more at all levels.”
In response to a question about threat intelligence information sharing, Christl said that the agency is looking at how to downgrade and declassify information through “traffic light protocols” to make it “consumable” and helpful to HIT, and is also looking at adding full-time liaisons with the FBI and CISA to facilitate that.
New resource for 405(d)
Decker provided a brief background on the 405(d)-sponsored landscape analysis, which he said aligns with the Healthcare Industry Cybersecurity Practices update released at HIMSS23 in April.
That analysis of what healthcare organizations are doing well and where they come up short gave HHS a road map, while it provides organizations data to benchmark themselves against their peers based on size and other factors, Rodriguez said.
Rodriguez said the 405(d) program is focused on working with ASPR and integrating their data and building their support to better support the industry “to produce more documents, to produce more trainings – to produce more education” and also provide direct outreach to small health systems.
Coupled with the recent HICP refresh, HHS is also offering new knowledge-on-demand. A four-part, free education and training program is designed for end user-training, and the files are available to download for organizations that have their own learning systems, he noted.
In the near future, 405(d) will also release a cyber enterprise risk management publication and an updated joint operational checklist for the first 12 hours after a cyber event, Rodriguez said.
How HICP can help with OCR investigations
Heesters said OCR has received more than 30,000 complaints about potential violations of health information privacy or security and more than 700 breach notifications for 2022.
Decker asked Heesters how new considerations under the HITECH Act give healthcare organizations a leg up on investigations if they have implemented HICP and other 405(d) guidance.
Given that the regulations are designed to be non-prescriptive, Heesters said he believes that the specific actionable items in HICP are helpful to organizations for thinking about how to better fortify their environments and protect ePHI. He named HICP’s risk analysis, endpoint control, asset inventory, multi-factor authentication and other network security protocols.
Many of the items have a direct correlation to security requirements.
“So even though the security rule is non-prescriptive, the requirements are to protect health information,” Heesters said.
For example, he said the section on phishing simulation exercises “dovetails very well” with the requirement for providing security reminders that entities must meet.
Andrea Fox is senior editor of Healthcare IT News.
Healthcare IT News is a HIMSS Media publication.