Changes and advances in healthcare have increased in recent years at an amazing rate. Everything from major mergers and acquisitions to new innovations in treatment delivery have been re-shaping the healthcare environment as we know it today and we do not see this slowing down at any time in the future.
As with most of these advancements, technology places a major role in the innovation, creating convenience, accessibility, and connectivity. However, an increase in the use of technology also introduces challenges when examining cybersecurity threats and risk, both at the individual level and in the healthcare ecosystem as a whole. Healthcare data breaches continue to be front and center in the media; providing public awareness to this risk and the challenges associated with it.
To strengthen cybersecurity for the health sector, the Cybersecurity Act (CSA) became law in 2015 and within this legislation is Section 405(d), which requires the collaborative development of healthcare industry guidelines. The 405(d) Task Group convened by the U.S. Department of Health and Human Services (HHS) is facilitating an industry-led process to develop these consensus-based guidelines, best practices and methodologies to strengthen the healthcare & public health (HPH) sector’s cybersecurity posture. There are 70+ industry participants, comprised of information security experts and medical professionals from large and regional health insurance payers, regional hospital systems, healthcare service providers, and local practitioner offices.
The goal of the group is simple, yet complex – how do we reduce cybersecurity risk within the healthcare system? Current and past security incidents, frameworks, and innovations were discussed and explored. From there the group created multiple revisions of what came to be 405(d) best practices documents in individual volumes for small, medium, and large organizations. This enhanced guidance provides HPH organizations consistent recommendations for reducing risk and enhancing their cybersecurity controls and posture.
HHS and industry participants are hosting pre-testing meetings of the 405(d) best practices via virtual and onsite locations throughout the United States through August of this year. The purpose of pre-testing is to discuss and provide feedback on relevant sections of the 405(d) best practices. The results of this effort will help inform future iterations of the document.
West Monroe will host pre-testing sessions for both cybersecurity professionals and medical practitioners on Wednesday, August 22 our Seattle office. Please reach out to Maggie Santolla (firstname.lastname@example.org) if you are interested in participating.
West Monroe is proud to be part of the HHS team that is providing best practices for HPH organizations of all sizes as we drive forward to ultimately protect and reduce risk of our shared healthcare system.