The U.S. Department of Health and Human Services (HHS) continues to play a central role in helping health care organizations defend against cybersecurity threats, issuing cybersecurity briefs and a new cybersecurity framework over the last 60 days.

On April 6, 2023, HHS warned health care organizations of the cybersecurity threat posed to Electronic Medical/Health Records (EMRs/EHRs). This latest threat briefing is one of the first issued to health care organizations under HHS's new cybersecurity framework (and follows its previous briefing on "Data Exfiltration trends in Healthcare").

In addition to specific briefings on key cyber risk areas, HHS unveiled a new framework through the agency's Administration for Strategic Preparedness and Response (ASPR) to assist health care organizations with responding to cyber threats. This new guide—the Cybersecurity Implementation Guide—is the product of a public-private partnership designed to improve cyber risk management in an era of rising cyberattacks in the health care space.

The guide contains a series of voluntary best practices for helping health care organizations address cybersecurity risks to items like patient data, intellectual propriety, medical device manufacture and research. These practices cover risk identification and management, access control and supply chain monitoring, along with corporate board management of cyber risk management programs. The guide emphasizes the importance of boards approaching cybersecurity as an enterprise-wide risk management issue, instead of merely an IT issue.

With this guide, HHS seeks to help public and private health care organizations align their information security programs with the Cybersecurity Framework developed by the National Institute of Standards and Technology (NIST). NIST recently released a proposed update for the framework in January, along with a new framework for artificial intelligence (AI) (see here for more details on this AI framework).

ASPR developed the guide jointly with the Health Sector Coordinating Council Cybersecurity working group (which includes health care companies, hospitals and industry groups), with input from NIST and other federal agencies. This project follows the White House National Cybersecurity Strategy announcement earlier in March calling for private-public cooperation against cyber threats to critical infrastructure.

The health care sector is a particularly prime target for cyber threat actors, and guidance like this can help organizations plug gaps in their defenses.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.