Federal Goals for Cybersecurity in Healthcare
Authored by Eli Koopman
The Department of Health and Human Services (HHS) has released their 2024-2030 strategic plan which includes increasing security around Electronic Health Information (EHI).
HHS States the goal is to:
“Provide guidance and resources to help health care organizations integrate high-impact cybersecurity practices, such as the Health Care Cybersecurity Performance Goals and the NIST Cybersecurity Framework, in the design and use of health IT while also prioritizing the improvement of the confidentiality, integrity, and availability of connected systems containing health data” (HHS, 2024).
What is Health IT?
Health IT as described by HHS is an array of tools that enable the processing, storage, access, exchange, and use of electronic health information (EHI)(HHS, 2024). Examples could include patient management systems, online portals for filling out forms, etc.
Why Does Health IT Matter?
Health IT as a concept encompasses all uses of computers, software, and technologies in a healthcare manner. This includes storage and transmission, both hot topics in cybersecurity. With the goals set by HHS to improve confidentiality and integrity along with implementing cybersecurity frameworks it will be important to put cybersecurity first while developing or implementing new technologies.
Implementation of cybersecurity frameworks, like NIST CSF, regarding Health IT will prove beneficial since healthcare organizations remain a prime target for cybersecurity breaches and ransomware attacks.
NIST Cybersecurity Framework (CSF) in Healthcare
As part of the 2024-2030 plans, HHS wants to implement the NIST standards regarding Health IT. The core principles of NIST CSF and a summary are as follows:
Govern – Manage the data, people, processes, and products used in an organization. Create practices with a security first mentality and monitor your policies over time.
Identify – Locate and acknowledge cybersecurity risk in an organization. Risks can include the people, products, practices, or suppliers. Additionally identify includes the identification of opportunities for improvement.
Protect – Protect the identified risks. This can include software solutions, training, physical hardening, and creating redundancies.
Detect – Monitor and analyze new or persistent risks. The utilization of behavioral monitoring, physical security alerts, endpoint logging, and alerting all aid in detection of compromise.
Respond – When threats are identified address them. Analyze the incident, respond, address how it happened, and work to prevent the same incident in the future.
Recover – Return systems, hardware, or physical items to normal operations in the case of an incident. Communicate throughout the process of recovery and work to restore systems as soon as possible.
The Future of Cybersecurity in Healthcare
As HHS pushes forward with their 2024-2030 goals healthcare organizations should strive to be aligned with or ahead of the federal goals. Tackling cybersecurity is an all-encompassing process involving physicians, network engineers and investors alike. Implementing frameworks like NIST CSF can help prevent and identify risks to organizations.
How CLA Can Help
CLA’s cybersecurity team has years of experience performing IT risk assessments, controls reviews, and custom cybersecurity testing. Please contact us to help in assessing and mitigating your risk for a cyber-attack.
References
Department of Health and Human Services. (2024, March 27). Draft 2024-2030 federal health it strategic plan. HealthIT.gov. https://www.healthit.gov/topic/draft-2024-2030-federal-health-it-strategic-plan
Javier is a principal within the Cybersecurity Services Group at CLA. Prior to joining CLA, Javier spent ten years supporting the Department of Defense as well as a financial services company in the fields of insider threat, incident response, analytics, and systems engineering.
Comments are closed.