United States: CISA And HHS Provide Cyber Toolkit For Healthcare Organizations

Additional Author Aaron Futerman

On October 25, 2023, the Cybersecurity and Infrastructure Security Agency ("CISA") and the Department of Health and Human Services ("HHS") released a cybersecurity toolkit containing resources and information that organizations in the healthcare and public health (HPH) sector can utilize to reduce their cyber risk.

Background

HPH is one of the sectors most targeted by threat actors due to the valuable data collected by organizations within this sector, such as health records, personally identifiable information, and financial information. HPH organizations also are reputedly "cyber poor" targets, (seen as having generally poor cyber hygiene). In addition, these organizations typically operate numerous connected medical devices, some of which have hardware and software vulnerabilities that threat actors can exploit to access key systems and records. The encryption of (or loss of access to) data and medical systems places extraordinary pressure on healthcare providers, as any disruption could delay lifesaving medical care.

The pandemic accelerated the healthcare industry's adoption of digital technology for remote work, patient communications, and medical treatment. However, the expansion of this digital ecosystem has also increased the potential attack surface for healthcare organizations. The HPH sector has generally been slower to achieve robust cybersecurity due to tight budgets and difficulties in recruiting qualified cybersecurity staff.¹

High-profile cyberattacks illustrate the unique consequences of such attacks on the HPH sector. In October 2022, one of the nation's largest healthcare systems was the victim of a ransomware attack that forced hospitals in several states to cancel medical procedures, divert ambulances to other facilities, and use paper records. The company estimated that the attack cost $160 million, including revenue losses and remediation expenses. Furthermore, the company now faces class action litigation resulting from the exposure of its patients' health and personal information.

Recognizing the cybersecurity challenges unique to the HPH sector, CISA, HHS, and the Health Sector Coordinating Council (HSCC) Cybersecurity Working Group have collaborated to create and consolidate resources that HPH organizations can leverage to improve their cybersecurity programs, and reduce the risk of cybersecurity incidents across the sector.

The Cybersecurity Toolkit for HPH

The Cybersecurity Toolkit for HPH (the "Toolkit")² is a comprehensive resource hub, for organizations of all sizes and levels of sophistication, which can be used to help implement more advanced measures to improve their cyber hygiene, assess vulnerabilities, and proactively respond to cybersecurity threats.

The Toolkit includes:

• Cyber Hygiene Services: CISA cybersecurity assessment resources for HPH organizations and Services Catalog, providing users information on other no-cost cybersecurity tools and services designed to help organizations manage risk and improve their cyber hygiene.
• Landscape & Threat Analysis: Resources to help users understand current cyber capabilities and preparedness of HPH organizations and the specific types of cyber threats impacting them.
• Cybersecurity Risk Assessment Tool: A risk assessment tool developed by HHS' Office of the National Coordinator for Health Information and Office for Civil Rights to help small and medium-sized organizations identify and assess security risks within their organization.
• Cybersecurity Best Practices: Resources to help users understand and implement cybersecurity best practice recommendations and guidance identified by HHS, including email protection, endpoint protection, access management, data protection, incident response, and governance.
• Advisories and Alerts: Various advisories and listservs for HPH organizations to receive immediate threat intelligence and invitations to monthly threat briefings.
• Cybersecurity Training and Exercises: CISA training and education materials, including free tabletop exercise packages for employees in the HPH sector and the general public.

The Toolkit is not intended to cover legal requirements for healthcare security or incident reporting requirements for HPH organizations.

Takeaway

Organizations in the HPH sector now have a new resource to add to their respective cybersecurity program arsenals. The tools, services, and guidance included in the Toolkit will help HPH organizations of all levels build solid cybersecurity foundations, connect and collaborate with other organizations in the sector regarding vulnerabilities and threats, and improve their overall cyber hygiene.

Footnotes

1. According to a 2023 survey of 550 Chief Information Security Officers (CISO), healthcare organizations are spending 8.1% of their IT budgets on cybersecurity. In comparison, technology firms are spending 19 percent (the highest of any industry) and financial firms are spending 13.6% of their IT budgets on cybersecurity. 2023 CISO Compensation Benchmark Report (iansresearch.com)

2. Healthcare and Public Health Cybersecurity | CISA

Visit us at mayerbrown.com

Mayer Brown is a global services provider comprising associated legal practices that are separate entities, including Mayer Brown LLP (Illinois, USA), Mayer Brown International LLP (England & Wales), Mayer Brown (a Hong Kong partnership) and Tauil & Chequer Advogados (a Brazilian law partnership) and non-legal service providers, which provide consultancy services (collectively, the "Mayer Brown Practices"). The Mayer Brown Practices are established in various jurisdictions and may be a legal person or a partnership. PK Wong & Nair LLC ("PKWN") is the constituent Singapore law practice of our licensed joint law venture in Singapore, Mayer Brown PK Wong & Nair Pte. Ltd. Details of the individual Mayer Brown Practices and PKWN can be found in the Legal Notices section of our website. "Mayer Brown" and the Mayer Brown logo are the trademarks of Mayer Brown.

© Copyright 2023. The Mayer Brown Practices. All rights reserved.

This Mayer Brown article provides information and comments on legal issues and developments of interest. The foregoing is not a comprehensive treatment of the subject matter covered and is not intended to provide legal advice. Readers should seek specific legal advice before taking any action with respect to the matters discussed herein.