HHS Makes One-Stop Cybersecurity Shop in ASPR
The agency is working on standards and cyber incident response capabilities to help health care organizations combat ransomware threats.
Ransomware is an escalating problem in health care. So much so that the Department of Health and Human Services is creating a one-stop cybersecurity shop in the Administration for Strategic Preparedness and Response (ASPR) to help health care organizations address cyber challenges and respond to threats or incidents more quickly.
The effort is the fourth pillar within the agency’s recently released cyber plan to boost health care sector resiliency. The three other pillars include publishing new voluntary health care-specific cybersecurity performance goals, working with Congress to develop supports and incentives for domestic hospitals to improve cybersecurity, and increasing accountability and coordination within the health care sector.
If not addressed quickly, ransomware challenges can only escalate further year over year. According to a recent report, victims of ransomware attacks paid over $1.1 billion in 2023 and $570 million in 2022. Not only that, these incidents can impact patient safety.
“Ransomware attacks are particularly concerning because they lock down certain systems within a hospital, for example, and demand payment or a ransom. And when they do so, they can pose an immediate threat to patient health and safety,” said ASPR Office of Preparedness Deputy Director Brian Mazanec. “Imagine going to a hospital or an emergency room and if they can’t use the MRI machine or access your electronic medical records to know you’re allergic to penicillin. … We believe cybersecurity is patient safety. And we’re very focused on that.”
ASPR is working with partners to build stronger cybersecurity practices. This includes harmonizing cybersecurity standards such as HHS’ Public Health Sector Cybersecurity Performance Goals (HPH CPGs) published in January to help health care institutions plan for high-impact cybersecurity practices.
“The HPH CPGs provide layered protection at different points of weakness in an organization’s technology environment, which is crucial to increase cyber resilience and ultimately protect patient safety,” said Mazanec. “Layered defense provides redundancy so if one line of defense is compromised, additional layers exist as a backup to ensure that threats are stopped along the way.”
HPH CPGs fall into two categories: essential goals and enhanced goals. The essential goals are those that are the most basic and achievable. Enhanced goals are for those with more resources to prepare for cyber attacks.
According HHS’ 2023 Hospital Cyber Resiliency Landscape Analysis, 80% of cyberattacks are identity-based. Several essential CPGs, including basic cybersecurity training, email security measures and revoking credentials for departing workforce members, are low-cost, high-yield actions that can protect organizations from identity-based attacks. The more intensive enhanced goals like network segmentation prevent threat actors from moving laterally in an organization after a breach.
ASPR is also working improving its cyber incident response capabilities and resources.
“ASPR will continue to make further enhancements to our incident response capabilities, to include an enhanced incident tracking system that seamlessly integrates data to help ensure HHS is best positioned to make data-informed decisions in a timely manner when dealing with a cyber incident,” said Mazanec. “We also plan to enhance the tools and resources we can bring to the health care sector to support hospitals dealing with a serious cyberattack. “
This is a carousel with manually rotating slides. Use Next and Previous buttons to navigate or jump to a slide with the slide dots
-
FDA Outlines Future Tech Priorities
FDA is advancing its tech capabilities with quantum computing, zero-trust architecture and modernized data sharing.
6m read -
This Partnership is Tackling Federal Zero Trust, Cloud Security
Industry leaders share insights on the critical role industry partnerships have in enabling government agencies to navigate procurement challenges for cloud and zero trust solutions.
16m watch Partner Content -
Effective Cloud Governance Balances Innovation, Security
ULA and AWS leaders discussed strategies for secure cloud adoption, emphasizing effective permissions to balance innovation and security.
2m read -
CBP Leads Federal Post-Quantum Cryptography Work
The agency began its post-quantum cryptography migration two years ago and thinks others would benefit from its lessons learned.
4m read