Health-care organizations are tempting targets for cyber criminals because they hold a wealth of sensitive information, including personally identifiable information, financial details and health records, said Nitin Natarajan, deputy director of the Cybersecurity and Infrastructure Security Agency (CISA), in the toolkit announcement.
“They are essentially a one-stop shop for an adversary,” Natarajan said.
Plus, health-care entities often rely on digital systems for key activities, like communicating with patients, conducting medical procedures and storing patient information — making a disruption painful.
Andrea Palm, deputy secretary for the Department of Health and Human Services (HHS), said the quantity and severity of cyber attacks against hospital and health-care systems has risen significantly over the past few years.
Already 2023 has seen a variety of incidents, from an August attack that disrupted operations at several Connecticut hospitals to a major data breach whose victims included roughly 277,000 members of a San Jose-based health plan provider.
CISA has been collaborating with HHS and a Health Sector Coordinating Council (HSCC) Cybersecurity Working Group to provide cyber supports for the sector — including preparing the newly released Cybersecurity Toolkit for Healthcare and Public Health.
The toolkit brings together relevant resources from each group, including a document from HHS on cyber resiliency best practices for the sector as well as an HHS-HSCC guide for health care and public health entities implementing cybersecurity frameworks. The toolkit also features information on accessing CISA’s free vulnerability scanning services.
