The U.S. Department of Health and Human Services, taking a cue from Congress, has begun developing principles and best practices for cybersecurity in health care, officials said Tuesday.
“We had an information day … and we are kicking off next week,” said Julie Anne Chua, from the office of the department’s chief information officer. She spoke at a cybersecurity workshop at the National Institute of Standards and Technology.
Section 405d of the 2015 Cybersecurity Act — passed as part of the massive omnibus appropriations nearly 18 months ago — is titled “Aligning health care industry security approaches.” It mandates the HHS secretary “to lead a task group to put together a set of voluntary, consensus-based principles and best practices for cybersecurity in the health sector,” explained Chua.
As the law requires, it will be consistent with the NIST Cybersecurity Framework and the privacy and security provisions of the Health Insurance Portability and Accountability Act, known as HIPAA.
“We know that cybersecurity in the health sector is something we have to lean in on,” Chua said, “The sector is looking to HHS.”
Her comments came as the minds of health care sector cyber professionals were firmly fixed on the explosive growth last week of the WannaCry ransomware which struck more than four dozen hospitals and other institutions of Britain’s National Health Service, causing the cancellation of thousands of medical appointments across the country.
Chau said in the U.S., her department was “leveraging its public-private partnership model,” and working with NIST to put the task group together. “We need providers, operators, actual folks on the ground … robust intra-sector cooperation,” she said, adding that a good cross-section of health care companies had attended the information day.
The law calls for the development of “a common set of voluntary, consensus-based, and industry-led guidelines, best practices, methodologies, procedures, and processes that [will] serve as a resource for cost-effectively reducing cybersecurity risks for a range of health care organizations.”
The end product of the task group, Chua said, needs to be “actionable, easy to use and understand, and [usable] by a single provider — think of your doctor’s office … where a single person is the cyber-professional as well as the health provider.”
Some critics of the provision in 2015 noted the difficulty of producing a document that would be relevant both to a single-person health care provider and a massive insurance company.
“We cannot say enough about small providers and how they need the most help,” Chua added.
She said officials at HHS were already beginning to use the NIST Cybersecurity Framework, putting them ahead of the mandate for all federal agencies to do so included in the executive order President Trump signed last week.
Chua said the director of the office of security in OCIO, “used the framework to ensure that she had a really robust discussion with senior leadership” at the department.
The framework’s core is divided into five functional elements: Identify, protect, detect, respond and recover. Officials “tailored questions derived from each” function, she said, in an effort to educate department leadership about the cyber-risks they faced.
The five functions are often portrayed in a five color bar chart, and Chua said the director of the office of security in OCIO also “made sure that she relayed this chart in terms of the budget that she’s asking for each of the [five] specific areas.”
By breaking the budget down across those five functions, officials had been able to see imbalances in resource allocation and “identify the areas where we need more resources,” Chua said.