Healthcare and Public Health Cybersecurity
Introduction
With its focus on caring for people, the Healthcare and Public Health (HPH) sector touches each of our lives in powerful ways. Today, much of the work the HPH sector carries out is based in the digital world, leveraging technology to store patient and medical information, carrying out medical procedures, communicating with patients, and more. Any disruptions to the HPH digital ecosystem can impact patient safety, create openings for identity theft, and expose intellectual property among other damaging effects.
To help improve cybersecurity within the HPH sector, the Cybersecurity and Infrastructure Security Agency (CISA), the Department of Health and Human Services (HHS), and Health Sector Coordinating Council (HSCC) Cybersecurity Working Group are working together to deliver tools, resources, training, and information that can help organizations within this sector. Together, CISA brings technical expertise as the nation’s cyber defense agency, HHS offers extensive expertise in healthcare and public health, and the HSCC Cybersecurity Working Group offers the practical expertise of industry experts working cybersecurity issues in HPH every day.
How to Use this Toolkit
This toolkit consolidates key resources for HPH organizations at every level. Starting with the fundamental cyber hygiene steps that every organization and individual should take, the toolkit can help organizations within the HPH sector build their cybersecurity foundation and progress to implement more advanced, complex tools to strengthen their defenses and stay ahead of current threats.
Because cybersecurity is one of many areas where the Healthcare and Public Health sector is facing persistent challenges, CISA and HHS are providing this toolkit filled with remedies to give sector stakeholders a greater ability to proactively assess vulnerabilities and implement solutions.
U.S. Department of Health and Human Services Releases Cybersecurity Performance Goals for the Healthcare Sector
On January 25, the U.S. Department of Health and Human Services published voluntary healthcare specific Cybersecurity Performance Goals to help healthcare organizations prioritize implementation of high-impact cybersecurity practices.
Healthcare and Public Health Sector: Know the Risks, Use Cyber Hygiene
Cybersecurity isn't one size fits all. Different healthcare entities have distinct strengths and weaknesses and a wide range of needs. Regardless of where an organization fits into the picture, these resources can help build a cybersecure foundation.
Healthcare and Public Health Sector: Strengthen your Defenses and Mature your Cybersecurity Efforts
CISA offers industry best practices and resources on training and exercises, incident response planning, priority telecoms services, cyber resilience, tackling ransomware and much more to help healthcare organizations strengthen their defenses.
Healthcare and Public Health Sector: Address Resource Constraints
Recognizing that the nation’s healthcare systems and providers have been under severe resource constraints—especially since the start of COVID-19—members of the HPH sector should actively take steps to address their constraints.
Collaborate, Stay Informed, and Share Information Voluntarily
Voluntarily sharing of information about cyber-related events that threaten critical infrastructure organizations is critical to creating a better, more holistic understanding of the threat environment for all healthcare organizations.
What You Can Do
- OBSERVE the activity
- ACT by taking local steps to mitigate the threat
- REPORT the event
Types of Activity to Share
Unauthorized access to your system
Denial of Service (DOS) attacks that last more than 12 hours
Malicious code on your systems, including variants if known
Targeted and repeated scans against services on your systems
Repeated attempts to gain unauthorized access to your system
Email or mobile messages associated with phishing attempts or successes
Ransomware against Critical Infrastructure, include variant and ransom details if known
Connect with CISA's Regional Team
CISA offers a range of cyber and physical services to support the security and resilience of critical infrastructure owners and operators—including healthcare and public health— and state, local, tribal, and territorial partners.
Related Resources
Healthcare and Public Health Sector Partnership
Find opportunities to collaborate with private sector and government partners, best practices and guidance for improving enterprise cybersecurity, and help preparing for, responding to, and recovering from significant cyber and physical threats.
Healthcare and Public Health Sector: Additional Partner Resources
U.S. Department of Health and Human Resources (HHS): HHS is the Sector Risk Management Agency for the healthcare and public health sector.
Secure by Demand Guide: How Software Customers Can Drive a Secure Technology Ecosystem
In this guidance, we lay out questions and resources that organizations buying software can use to better understand a software manufacturer’s approach to cybersecurity and ensure that the manufacturer makes secure by design a core consideration.
Explore Additional Resources from CISA for Physical Security
This toolkit focuses primarily on cybersecurity resources, but CISA has a wide array of offerings to help the HPH sector and other critical infrastructure organizations improve their security and resilience. Here are some more resources to explore.
Cyber Threats to Medical Technology and Communication Technology Protocols
CISA and DHS developed this infographic to show examples of cyber threats related to the expansion of the interoperable IT/OT environment in healthcare and the potential consequences.
Enhancing Cyber Resilience: Insights from the CISA Healthcare and Public Health Sector Risk and Vulnerability Assessment
In January 2023, CISA conducted a Risk and Vulnerability Assessment (RVA) at the request of a Healthcare and Public Health (HPH) sector organization to identify vulnerabilities and areas for improvement. This advisory details those findings.
Advisories, Alerts, and Other Information
Health Sector Cybersecurity Coordination Center (HC3)
Stakeholders can join the HC3 listserv to receive immediate notification of products and invitations to monthly threat briefings by emailing HC3@hhs.gov.
Sign up for real-time cyber threat intelligence
CISA’s Automated Indicator Sharing (AIS) platform provides a public feed for real-time sharing of cyber threat intelligence.
National Cyber Awareness System (NCAS)
The NCAS provides cybersecurity advisories that often include information tailored for health and public health.
Sign up for the Joint Cyber Defense Collaborative ‘Industry Exchange’ Community of Interest (COI)
CISA’s Homeland Security Information Network (HSIN). HSIN is a secure, trusted environment where federal, state, local, territorial, tribal, international and private sector partners receive Sensitive But Unclassified information up to the TLP:GREEN
Healthcare and Public Health Sector Highlights
HHS’s Office of Critical Infrastructure Protection distributes weekly bulletins. Request to be added to the Cybersecurity Edition and find bulletins on other critical infrastructure topics at the CIP Bulletins webpage.
Mitigation Guide: Healthcare and Public Health (HPH) Sector
This CISA Mitigation Guide offers recommendations and best practices to combat pervasive cyber threats affecting the Healthcare and Public Health (HPH) Sector.