HHS and healthcare industry cybersecurity best practices

In 2015, HHS (Health and Human Services) convened the Cybersecurity Act of 2015 405(d) Task Group leveraging the HPH (Healthcare and Public Health) Sector Critical Infrastructure Security and Resilience Public-Private Partnership.  The Task Group is comprised of over 150 members representing many roles and organizations in from healthcare practitioners, privacy, and cybersecurity subject matter experts.  The Task Group’s mandate was to develop practical cybersecurity guidelines to cost-effectively reduce cybersecurity risks for the healthcare industry.

At the end of 2018, HSCC (Health Sector Coordinating Council), in partnership with HHS released the official “Health Industry Cybersecurity Practices (HICP): Managing Threats and Protecting Patients” publication. The four-volume publication seeks to raise awareness for executives, health care practitioners, providers, and health delivery organizations, such as hospitals. It is applicable to health organizations of all types and sizes across the industry.

West Monroe Partners was one of the core industry partners aligned with the task force to produce the HICP and sponsored multiple pre-testing efforts to gather feedback from the industry before the official release. Read more about our experience here. 

"This initiative truly illuminated the power of public-private partnership as well as the power of peer review. It is our hope that HICP will help move the 'cybersecurity needle' across the industry and increase the resiliency of our industry to cyber-attacks." - Erik Decker - University of Chicago Medical Center CISO

The publication consists of four volumes:

1. The Main document of the publication explores the five (5) most relevant and current threats to the industry and recommends ten (10) Cybersecurity Practices to help mitigate these threats.

2. Technical Volume 1 discusses these ten (10) cybersecurity practices for small healthcare organizations. It is intended for IT and IT security professionals.

3. Technical Volume 2 discusses these ten (10) cybersecurity practices for medium and large healthcare organizations. It is intended for IT and IT security professionals 

4. Resources and Templates provides additional resources and materials that organizations can leverage to develop policies and procedures as well as assess their own cybersecurity posture, through a Cybersecurity Practices Assessment Toolkit.  

For more information on this effort and to download a copy of the publication, please visit the 405(d) website. 

West Monroe Partners is proud to support the effort with the 405(d) Task Group from inception and into the future as we collaborate against common threats and adversaries within the Healthcare Sector. The more intelligence sharing, learning from experience, and thought leadership we can all share, the better to reduce risk within our respective organizations and communities both in the physical and digital worlds.