Erik Decker on New “Health Industry Cybersecurity Practices”

By Erik Decker, Chief Information Security and Privacy Officer, University of Chicago Health

At the end of 2018, the Department of Health and Human Services (HHS) released a cybersecurity report that included valuable insights from CHIME and AEHIS members. HHS unveiled Health Industry Cybersecurity Practices: Managing Threats and Protecting Patients (HICP), a four-part document designed to assist healthcare organizations mitigate the top cybersecurity threats we face today. It is the work product of the 405(d) Task Group, where I serve as industry lead and co-chair along with my HHS government counterpart, Julie Chua.

“Many of the most influential industry organizations in healthcare came together as the 405(d) Task Group in May 2017, to plan, develop and draft this publication,” wrote HHS Deputy Secretary Eric Hargan in the report. “HHS engaged a diverse group of more than 150 healthcare and cybersecurity experts through the Health Sector Coordinating Council as well as our government partners. The Task Group focused on building a set of voluntary, consensus-based principles and practices to improve cybersecurity in the health sector.”

The documents and a toolkit are:

  • Main document examines cybersecurity threats and vulnerabilities that affect the healthcare industry. It explores five current threats and presents 10 practices to mitigate those threats.
  • Technical Volume 1 discusses these 10 cybersecurity practices for small healthcare organizations.
  • Technical Volume 2 discusses these 10 cybersecurity practices for medium and large healthcare organizations.
  • Resources and Templates portion includes a variety of cybersecurity resources and templates for end users to reference.

This initiative and the documents can be found on the website.

Review a list of participants who partnered to create the report.

CHIME, at the request of membership, led the charge to increase congressional awareness about healthcare cybersecurity challenges, and welcomed the inclusion of the healthcare-specific provisions in the Cybersecurity Act of 2015. The provision known as 405(d) directed HHS to establish through a collaborative process with the Department of Homeland Security (DHS) and National Institute of Standards and Technology (NIST), and any other federal entities and non-federal entities a common set of voluntary, consensus-based, and industry-led guidelines, best practices, methodologies, procedures and processes that:

  • Serve as a resource for cost-effectively reducing cybersecurity risks for a range of healthcare organizations;
  • Support voluntary adoption and implementation efforts to improve safeguards to address cybersecurity threats; and,
  • Are consistent with NIST, Health Insurance Portability and Accountability Act (HIPAA) and Health Information Technology for Economic and Clinical Health Act (HITECH) standards, guidelines and requirements.

In addition to the over 150 participants who provided thought leadership into the development of this document, it was also focus group-tested by over 100 individuals in seven different regions throughout the country. This effort has been a fantastic example of public-private partnerships and what is possible with an inclusive approach, leveraging the expertise of representatives from across the industry, with the backing of the federal government.

I’d like to personally thank my co-chair and all of those who contributed to the dialogue and participated in this important initiative. I look forward to getting your feedback and learning about how your organizations leverage these resources to bolster your cybersecurity posture.

More AEHIS News