The Charge
Following the dramatic escalation in cyber attacks against the health care industry, Congress called for the establishment of the Health Care Industry Cybersecurity Task Force under Section 405(c) of the Cybersecurity Information Sharing Act of 2015. The Department of Health and Human Services (HHS) convened the Task Force in March 2016, drawing members with a wide range of professional backgrounds and subject matter expertise from across the breadth of the health care industry. Over the course of the next year, the members discussed cybersecurity concerns for the health care industry and potential ways to better protect health care systems, providers, and patients.
On June 2, 2017, the Task Force released the Report on Improving Cybersecurity in the Health Care Industry (the Report) to illustrate the urgency and complexity of cybersecurity risks facing the health care industry.
A Year of Progress
Since the publication of the report, HHS has been working across all of its agencies and offices to study the report’s recommendations and begin to implement changes. For some recommendations, HHS was able to take immediate action. Other recommendations require a longer term approach to align recommendations with existing policies, authorities, and resources. HHS is working closely with partners throughout the private sector and the Federal Government to maintain focus on the recommendations with the goal of making continual progress. Below is a sample of the work we have been doing in the year since the Task Force report. It is arranged by the six “Imperatives” that were identified by the Task Force.
Define and streamline leadership, governance, and expectations for health care industry cybersecurity.
The Task Force focused on the need for strong cybersecurity leadership in corporate governance structures, industry organizations, and government at all levels. HHS is addressing these recommendations by strengthening our internal cybersecurity structures.
- Communicated to Congress that the Deputy Secretary for Health and Human Services is the lead official for all cybersecurity matters within the Department.
- Established an internal working group from across HHS to coordinate activities focused on healthcare industry cybersecurity, including the implementation of Task Force recommendations.
Increase security and resilience of medical devices and health IT.
The Task Force developed several recommendations addressing the unique cybersecurity challenges of medical devices and electronic health records. HHS is identifying regulatory and non-regulatory means to address these challenges.
- Developed and released the Medical Device Safety Action Plan and draft Trusted Framework and Common Agreement.
- Provided Congress with a plan of action for "creating, deploying and leveraging a bill of materials for health care technologies.”
- Exploring opportunities to update, streamline and/or provide greater clarity on cybersecurity regulatory approaches.
Develop the health care workforce capacity necessary to prioritize and ensure cybersecurity awareness and technical capabilities.
These recommendations address current cybersecurity workforce challenges across health care. HHS is taking innovative steps to develop its own cybersecurity workforce, while looking for opportunities to leverage its successes for the benefit of the greater health care industry.
- Helping lead the Federal IT Workforce Committee of the National Initiative for Cybersecurity Education (NICE).
- Using the NICE Framework to improve the Department’s ability to attract, develop, and retain IT talent.
Increase health care industry readiness through improved cybersecurity awareness and education.
These recommendations focus on raising cybersecurity awareness among health care organization leaders, employees, and customers. HHS has made cybersecurity outreach a priority.
- Conducting education and outreach activities, including in-person sessions on cyber awareness training, co-hosting cyber awareness events with professional industry associations, and presenting at conferences.
- Providing online resources to include cyber awareness videos and application programming tools for non-technical audiences.
Identify mechanisms to protect research and development efforts and intellectual property from attacks or exposure.
This section focuses on the significant problem of health care intellectual property theft related to areas such as clinical trials, drug and device development, big data applications, and general health care business operations. HHS is working to expand outreach and collaboration with owners and users of health care intellectual property.
- Worked with the National Academies on a recommendation to include research institutions within HHS’s private sector critical infrastructure partnership.
Improve information sharing of industry threats, risks, and mitigations.
These recommendations focus on the sharing of cyber threat information between government and industry. HHS has increased our capability to analyze and share cyber threat information related to health care.
- Provided grants to promote information sharing within the health care industry.
- Produced and disseminated executive and technical summaries on emerging cyber threats that are applicable to a wide range of health care audiences.
In addition to the progress made within HHS, the Department’s partners on the industry-led Sector Coordinating Council have made significant steps toward improving the industry’s cybersecurity posture. They have identified cybersecurity leadership, developed a recruitment plan for additional members, and established several task groups to address Task Force recommendations. HHS encourages our partners to connect with the SCC in their efforts. For more information, please contact cip@hhs.gov.