Skip to content

HSCC publishes 5-year healthcare cybersecurity strategic plan

  • Health

The Healthcare and Public Health Sector Coordinating Council’s Health Industry Cybersecurity Strategic Plan is intended to serve as an industry call to action as well as guide C-suite execs, health IT leaders and government agencies on cyber investments and implementation of essential cybersecurity goals.

WHY IT MATTERS

Called HIC-SP, available on the HSCC Cybersecurity website, the plan can help organizations throughout the healthcare ecosystem to implement essential cybersecurity goals that help address the operational, technological and governance challenges they present.

High-level cybersecurity goals could be achieved through the implementation of specific measurable objectives, according to HSCC. The number one goal in publishing HIC-SP is to improve and protect patient safety, said Chris Tyberg HSCC CWG vice chair and chief information security officer for Abbott, in the plan announcement Tuesday. 

After publishing HIC-SP, the HSCC CWG said it would begin to develop a set of measurable outcomes and appropriate metrics to support the plan’s success. The group said it intends to release those measures by the end of 2024.

“The Health Industry Cybersecurity Strategic Plan recognizes that cybersecurity for the health sector is a shared responsibility among all HPH stakeholders, including medical device manufacturers, pharmaceuticals, healthcare delivery organizations, health plans and payors and government policymakers,” said Erik Decker, HSCC CWG chairman and chief information security for Intermountain Health, in the statement.

Accomplishing the plan could upgrade healthcare cybersecurity from “critical” to “stable condition” by 2029, HSCC noted. 

Also critical, HIC-SP must create a cyber safety net that promotes cyber equity among under-resourced health organizations, workforce cybersecurity learning and application and an industry early-warning incident response and recovery system – a 911 Cyber Civil Defense.

THE LARGER TREND

In January, the U.S. Health and Human Services released voluntary cybersecurity performance goals for hospitals and healthcare providers to help healthcare organizations establish layered protection. 

Comprised of two levels, the goals align with the HHS 405(d) Program, HSCC, the NIST Cybersecurity Framework, and the Cybersecurity and Infrastructure Security Agency’s National Cybersecurity Strategy.

“We have a responsibility to help our healthcare system weather cyber threats, adapt to the evolving threat landscape and build a more resilient sector,” said HHS Deputy Secretary Andrea Palm when the agency announced the CPGs. 

In HIC-SP, creating a future cyber-resilient healthcare state also depends on collaboration across the ecosystem to secure design and technology delivery. 

“The plan also applies to third-party technology and service providers which continue to pose significant risks to the health system,” Decker noted in the announcement.

Where third-party vendors elevate health system risks, IT teams spend a lot of time performing many vendor risk-management analyses. Not only do they require a vast amount of resources to accomplish – they provide technology risk profiles that are just a “snapshot in time,” said Kathy Hughes CISO of Northwell Health.

“It’s still a very manual and labor-intensive process,” she explained during a previous discussion with Decker and others on how to move the needle on third-party cybersecurity.

ON THE RECORD

“We are calling on all health industry stakeholders to join us in this imperative for the benefit of patients and the overall health of the sector,” Tyberg said in the HSCC CWG statement.

Andrea Fox is senior editor of Healthcare IT News.
Email: afox@himss.org

Healthcare IT News is a HIMSS Media publication.

Leave a Reply

Your email address will not be published. Required fields are marked *