On April 17, 2023, the U.S. Department of Health and Human Services (HHS) 405(d) Program announced the release of several resources to help the Healthcare and Public Health (HPH) sector address cybersecurity concerns.
New Resources from HHS
- Knowledge on Demand – a new online educational platform that offers free cybersecurity trainings for health and public health organizations to improve cybersecurity awareness.
- Courses include: Social Engineering, Ransomware, Data Loss, and Attacks against Network Connected Medical Devices
- Content available multiple formats including video, powerpoint, and SCORM files for Learning Management Systems (LMS)
- Health Industry Cybersecurity Practices (HICP) 2023 Edition – a foundational publication that aims to raise awareness of cybersecurity risks, provide best practices, and help the HPH Sector set standards in mitigating the most pertinent cybersecurity threats to the sector.
- The top five threats defined in HICP are social engineering, ransomware, loss or theft of equipment, insider, accidental, or intentional data loss, and attacks against network connected medical devices.
- Hospital Cyber Resiliency Initiative Landscape Analysis – PDF – a report on domestic hospitals’ current state of cybersecurity preparedness, including a review of participating hospitals benchmarked against standard cybersecurity guidelines such as HICP 2023 and the National Institute of Standards and Technology Cybersecurity Framework (NIST CSF).
- The HHS 405(d) Program conducted Landscape Analysis, which reviewed active threats attacking hospitals and the cybersecurity capabilities of hospitals operating in the United States.
- The report highlights key weaknesses and recommends critical areas for improvement and focus.
Read the Press Release
The Growing Threat: Cyber Criminals Focusing on Healthcare
Among the sectors most heavily targeted by cybercriminals, healthcare organizations now find themselves in the crosshairs. The reasons healthcare is so targeted by criminals include:
- High Impact and Vulnerability
The critical nature of healthcare services makes breaches and cyber incidents within this sector exceptionally impactful. Uninterrupted operations are vital for patient care and well-being, making any disruption potentially life-threatening. Cyberattacks can bring healthcare services to a standstill, jeopardizing patient safety and hindering medical professionals’ ability to deliver timely care. Faced with such urgent circumstances, healthcare organizations are often more inclined to pay ransoms demanded by attackers, creating a lucrative opportunity for cybercriminals to profit from their malicious activities. - Valuable Data
Healthcare organizations harbor a wealth of highly valuable data that entices cybercriminals. Personal and financial information, medical records, and other sensitive data fetch significant prices on the dark web, where an illicit market for stolen information thrives. Cybercriminals capitalize on the profitability of healthcare records, using them as commodities to monetize their illegal endeavors. The ease of acquiring such data, coupled with its high resale value, makes healthcare organizations an attractive choice for cybercriminals seeking substantial financial gains. - Legacy Infrastructure and Inadequate Security
The prevalence of outdated infrastructure and inadequate security measures make the healthcare sector vulnerable. Many healthcare providers and organizations continue to rely on legacy systems and disjointed networks that were not designed with modern cybersecurity threats in mind. These antiquated systems pose significant challenges when implementing robust security measures, leaving critical gaps that attackers can exploit. The lack of integration and coordination among various systems within healthcare organizations makes it difficult to detect suspicious activity promptly, allowing attacks to persist undetected for prolonged periods.
