The Biden administration is ramping up efforts to harden defenses around the U.S. health care infrastructure, releasing an updated cyber “toolkit” to help the sector better defend against hackers.
Why it matters: Health care is a high-value, target-rich industry facing increasing attacks, and the problem is increasingly being recognized as a threat to patient safety when providers are forced to divert or shut down care.
Driving the news: Top officials from the Health and Human Services Department and the Cybersecurity and Infrastructure Security Agency (CISA) said Wednesday they have been working to better coordinate and clarify industry guidance.
- They jointly released the toolkit that includes ways for the health sector to mitigate risk, such as vulnerability scanning, best practices, and a framework for accessing and improving cyber resiliency.
- It’s part of a broader set of tools HHS has been releasing over the last year to help improve cyber hygiene across the sector, said HHS Deputy Secretary Andrea Palm.
- “In cyber, it’s hospitals that are on the front lines,” said Nick Leiserson of the White House’s Office of the National Cyber Director during a roundtable with industry leaders on Wednesday.
Between the lines: This year alone, CISA said it provided pre-ransomware notifications to roughly 65 U.S. health care organizations to stop ransomware encryption and warn entities of early-stage ransomware activity.
- Industry cybersecurity experts have raised alarm over health care’s cyber defenses, noting how often health systems had to pay ransoms or sustain massive losses after their computer systems were crippled.
- Smaller health systems are often outgunned compared to larger ones, experts say. But even IT experts at large health systems find themselves confounded by a patchwork of regulations and guidance from state and federal agencies.
The intrigue: Palm mentioned an interesting tactic HHS has also employed in aiding health systems under an attack: It’s played matchmaker with peer organizations that have been attacked before.
- The idea, she said, is “that they’re not learning all of this from scratch in this fire drill, but that they’ve got sort of a peer partner that they can talk to about how they’ve navigated through it,” Palm said.