Skip to main content
Image: [image credit]
Photo 217658546 © One Photo | Dreamstime.com

CISA, HHS Release Collaborative Cybersecurity Healthcare Toolkit

The Cybersecurity and Infrastructure Security Agency (CISA) and the Department of Health and Human Services (HHS) co-hosted a roundtable discussion on the cybersecurity challenges that the U.S. healthcare and public health (HPH) sector system faces, and how Government and industry can work together to close the gaps in resources and cyber capabilities. Ahead of the roundtable, CISA and HHS released a cybersecurity tool kit that includes resources tailored for the healthcare and public health sector.  

“Adversaries see healthcare and public health organizations as high value yet relatively easy targets – or what we call target rich, cyber poor.  Given that healthcare organizations have a combination of personally identifiable information, financial information, health records, and countless medical devices, they are essentially a one-stop shop for an adversary. For example, just in 2023, CISA conducted pre-ransomware notifications to over 65 U.S. healthcare organizations to stop ransomware encryption and warn entities of early-stage ransomware activity,” said Deputy Director of CISA Nitin Natarajan. “We continue to work diligently with our partners at HHS and in the healthcare sector to secure our health organizations not only in the United States, but across the globe through our collaboration tools.  We are also focused on efforts to Secure Our World by educating the people, companies, and agencies how they can better secure themselves with cybersecurity.”  

“We have seen a significant rise in the number and severity of cyber attacks against hospitals and health systems in the last few years. These attacks expose vulnerabilities in our healthcare system, degrade patient trust, and ultimately endanger patient safety. The more they happen, and the longer they last, the more expensive and dangerous they become,” said HHS Deputy Secretary Andrea Palm. “HHS is working closely with CISA and our industry partners to deliver the tools, resources, and guidance needed to help healthcare organizations, especially our under-resourced hospitals and health centers, mount a strong cyber defense and protect patient lives.”  

Today, as healthcare organizations increasingly rely on digital technologies to store patient and medical information, carry out medical procedures, and communicate with patients, they are exposed to greater risk.  However, hospitals, health centers, and clinics, especially those that are under-resourced, are coping with a wide range of challenges making it harder to invest the necessary resources into cybersecurity.   

Over the past year, CISA, HHS and Health Sector Coordinating Council (HSCC) Cybersecurity Working Group have been working together to deliver tools, resources, training, and information that can help organizations within this sector. Together, CISA brings technical expertise as the nation’s cyber defense agency, HHS offers extensive expertise in healthcare and public health, and the HSCC Cybersecurity Working Group offers the practical expertise of industry experts working cybersecurity issues in HPH every day.  

A key part of this effort is a new Cybersecurity Toolkit for Healthcare and Public Health that was unveiled at yesterday’s roundtable. This toolkit is easy to navigate online at www.CISA.gov/healthcare and consolidates resources like:  

  • CISA’s Cyber Hygiene Services, which use vulnerability scanning to help secure against known vulnerabilities, reduces the risk of cyberattacks and encourages the adoption of best practices.   
  • HHS’s Health Industry Cybersecurity Practices, which was developed with industry, outlines effective cybersecurity practices healthcare organizations of all sizes can adopt to become more cyber resilient.  
  • HHS and the HSCC’s HPH Sector Cybersecurity Framework Implementation Guide which helps organizations assess and improve their level of cyber resiliency and provide suggestions on how to link cybersecurity with their overall information security and privacy risk management activities.  

Through these and other helpful resources on the webpage, as well as through on-the-ground outreach, CISA and HHS are providing tools, information, and resources to help this vitally important component of the nation’s critical infrastructure reduce their cyber risk and reduce the likelihood of successful cyber incursions.