Skip to Main Content

How Health Care Leaders Should Plan for Building Cyber Resiliency

Policy leaders recommend health care organizations implement tools like encryption and multi-factor authentication to protect their data.

4m read
Clinician points to a laptop
Photo Credit: MUNGKHOOD STUDIO/Shutterstock

Federal health leaders are strategizing how health care organizations can build and budget for cyber resiliency as the attack landscape and need for data security grow.

“Resiliency costs money. … You can’t just plug in a new system and that you are now resilient,” said Keith Busby, acting CISO & Information Security and Privacy Group Director at the Centers for Medicare and Medicaid Services (CMS), during a recent webinar. “You don’t need to throw out everything that you’ve done. You just need to look at it from a different angle and look at some of the best practices that have been around for years.”

HHS released its cybersecurity strategy last year outlining four pillars of action to strengthen resilience through voluntary health care and public health sector cybersecurity performance goals (HPH CPGs). The goals incentivized organizations to develop resiliency and also expanded cybersecurity services within HHS’ Administration for Strategic Preparedness and Response (ASPR).

Cmdr. Thomas Christl, director of the Office of Critical Infrastructure Program within ASPR, noted the goal for the 2023 HHS roadmap was to provide consolidated, actionable guidance recommendations in a simplified manner.

“This is going to cost money, and so HHS is looking at how can we incentivize entities to implement those practices. There’s mention of upfront investment programs as well as incentives to continue to advance the practices within an entity,” he said during the webinar. “What do we already have in place? Existing brands, programs or collaborative agreements or cooperative agreements, where else might we need to grow?”

The comments come amid an overhaul at HHS launched Thursday in which cybersecurity and tech policy and strategy functions are moving to ASPR and the renamed Assistant Secretary for Technology Policy and Office of the Coordinator for Health IT (ASTP/ONC).

“Cybersecurity, data and artificial intelligence are some of the most pressing issues facing the health care space today,” said HHS Secretary Xavier Becerra in a statement. “For decades, HHS has worked across the organization to ensure appropriate and safe use of technology, data and AI to advance the health and well-being of the American people.”

Tips for Cyber Resiliency

There are several things health care organizations should prioritize to increase data security and resilience. One priority is having good data inventory.

“As an organization, you need to be able to know where your data is and who you’re giving it to, and so I think finding a way to do that is important, and you’re only going to do that through relationship building through collaboration with the business side of the house,” said Busby.

Busby added multi-factor authentication and encryption are basic security controls organizations should implement.

Christl added that cybersecurity should also be a part risk management approaches.

“Everything relies on it, and it can’t just be an afterthought. Work it into exercises. Have specific exercises for cybersecurity. The preparedness supports resilience and recovery,” said Christl. “Also try to truly understand the first, second, third-level contingencies, and make sure you have plans to address those contingencies as much as possible. Then the most important part of all of this is that once you think you’ve understood those, talk with the people and have the conversations that go back to the contracts and resilience.”

ARPA-H Programs Tackle Resilience

Christl cited efforts the Advanced Research Projects Agency for Health (ARPA-H) launched including its new Universal PatchinG and Remediation for Autonomous DEfense (UPGRADE) program and its Digital Health Security Initiative .

Christl said he’s also collaborating with the Cybersecurity and Infrastructure Security Agency (CISA) to help organizations understand what resources they have.

“They have free, scalable services that entities can sign up for to help get information on where they might be vulnerable,” said Christl. “They also have a health care and public health sector cybersecurity toolkit. We’re working with them to make sure that they’re speaking the right language for the health care sector, that they’re engaging effectively so that as many people as possible become aware of these resources and that they’re going to be taking advantage of them.”

Related Content
Woman typing at computer

Stay in the Know

Subscribe now to receive our newsletters.

Subscribe