On Dec. 1, the U.S. Department of Health and Human Services (HHS), through the Office of Chief Information Officer (OCIO) and Office of Information Security (OIS), announced the launch of a website for the HHS 405(d) Aligning Health Care Industry Security Approaches Program.
The press release announcing the website states that “The HHS 405(d) Program website was developed in partnership with the HHS 405(d) Task Group which includes more than 150 individuals from industry and the federal government who have tirelessly collaborated and provided their insights because they believe there is only one way to fight cybersecurity threat—together. Through this new website, the 405(d) Program supports the motto that Cyber Safety is Patient Safety and provides the Healthcare and Public Health (HPH) sector with useful, impactful, and vetted resources, products, videos, and tools that help raise awareness and provide cybersecurity practices, which drive behavioral change and move toward consistency in mitigating the most relevant cybersecurity threats to the sector.”
That said, “The HHS 405(d) Program was established in response to the Cybersecurity Act of 2015. Under section 405(d), HHS convened the CSA 405(d) Task Group to enhance cybersecurity and align industry approaches by developing a common set of voluntary, consensus-based, and industry-led cybersecurity guidelines, practices, methodologies, procedures, and processes that healthcare organizations can use. These are available in the program’s cornerstone publication Health Industry Cybersecurity Practices: Managing Threats and Protecting Patients (HICP).”
The release explains that in addition to the HICP publication, the website also features healthcare-focused resources like cybersecurity posters and infographics, installments of the bi-monthly 405(d) Post newsletter, 405(d) Spotlight Webinar recordings, and threat-specific products to support cybersecurity awareness and training efforts.
But here’s the thing: individuals will actually have to access the website to find it useful. Individuals who work in healthcare organizations are, under normal circumstances, extremely busy taking care of patients and taking care of their corresponding administrative duties. Of course, the pandemic only added to this already demanding workload. I think it’s pretty safe to say that workers don’t exactly have extra time to poke around on websites right now and the way the Omicron variant is surging, they won’t suddenly have the time next week or next month.
But having a solid cybersecurity program at a healthcare organization is, nonetheless, extremely important. Ransomware attacks have increased since the pandemic and directly impact patient safety. Palo Alto, Calif.-based Armis, a unified asset visibility and security platform provider, released data that we reported on in November showing the increased security risk faced by healthcare organizations and patients. The survey was done in conjunction with Censuswide, and looked at perspectives of over 2,000 potential patients in various industries and 400 IT professionals working in healthcare organizations from across the U.S. One troubling result was that ransomware alone has hit organizations hard, with 58 percent of IT pros in healthcare stating that their organization has been hit with ransomware.
In October, an Alabama woman filed a lawsuit against Springhill Medical Center. The lawsuit states that if the woman had known that hackers hit the hospital, she would have chosen to deliver elsewhere. According to a CBS News article, “Springhill Medical Center was besieged by a ransomware attack when Nicko Silar was born July 17, 2019. The resulting failure of electronic devices meant a doctor could not properly monitor the child's condition during delivery, according to the lawsuit by Teiranni Kidd, the child's mother.”
The baby had severe brain injuries, among other issues, and died last year at another hospital after months of intensive care.
It is clear that cybersecurity needs to be taken seriously and the HHS 405(d) Program website is chockfull of resources, many of which are printable. Not that workers in administration or those who have a role strictly in IT in a hospital, for example, have tons of free time themselves, but perhaps the best way to make use of this website and its resources is to assign someone not on the front-line to print what is printable every few weeks or so and hang available posters or infographics around common areas, like breakrooms.
For some of the other resources, like webinars, maybe emailing links directly to employees would be beneficial, instead of having them search around to find what is relevant in that moment themselves. If time allows, an important webinar can be viewed by groups of staff all at one time.
As far as the newsletters go, again, these are printable. Handing someone a paper copy of information can often times be more convenient than searching around on the website to find the most recent edition.
Overall, there are many valuable resources on the HHS 405(d) Program website—it’s just a matter of balancing the busy lives of healthcare workers with getting them the information they need so they can stay vigilant against cyberattacks that directly impact patient safety.
