HSCC releases 5-year strategic cybersecurity plan

In February 2024, the Health Sector Coordinating Council (HSCC) released its Cybersecurity Strategic Plan. 

What happened

The Health Sector Coordinating Council (HSCC) unveiled a 5-year strategic plan for healthcare and public health sector cybersecurity at the ViVE 2024 conference. This plan, developed in response to an alarming increase in healthcare data breaches in 2023, seeks to transition the healthcare industry's cybersecurity status from critical to stable by 2029. 

After analyzing current and ongoing industry trends, such as the rapid incorporation of emerging technologies and workforce challenges, the HSCC identified potential cybersecurity threats and outlined actionable and measurable strategies for addressing them. 

The Health Industry Cybersecurity Strategic Plan (HIC-SP) offers a modular approach, allowing healthcare organizations to tailor cybersecurity efforts to their needs. It aligns with other efforts, including the HHS’ Healthcare Sector Cybersecurity Strategy and voluntary cybersecurity performance goals. 

See also: ViVE 2024 Los Angeles - "Wanna see something new?"

The backstory

Amidst the backdrop of increasing cyberattacks and evolving tactics, as seen in the HSCC Cybersecurity working group incident reponse template and the HHS cybersecurity strategy released in 2023, the HIC-SP emerges as a tool designed to address specific challenges unique to the healthcare sector. Unlike broader cybersecurity strategies that offer general guidelines across various industries, the HIC-SP zeroes in on the unique operational impacts of cyber incidents on patient care within healthcare settings.

It fills in gaps left by existing guidance by providing a detailed incident response template that healthcare organizations can tailor to maintain continuity of care even amidst technological disruptions caused by cyberattacks. The HIC-SP's targeted approach complements broader initiatives, offering actionable steps for healthcare providers to enhance their resilience against cyber threats.

Going deeper

1. In 2023, almost 740 healthcare data breaches were reported to the HHS' Office for Civil Rights, affecting more than 136 million individuals.
2. The most common attack vectors in December 2023 were network server breaches (51 occurrences), followed by email breaches (14 occurrences) and paper/films breaches (4 occurrences).
3. Email breaches saw a 41% increase in January 2024 compared to January 2023.
4. The highest number of individuals affected by network server breaches in the last five Januaries occurred in December 2023, with an attack on HealthEC LLC and ESO Solutions, Inc., affecting a combined total of 7,152,782 individuals.
5. December 2023 reported the highest number of network server breaches (51 occurrences) in comparison to the previous years, with a rise from December 2022.

Why it matters

The plan comes in the wake of PHI breaches reported to the Department of Health and Human Services (HHS) in December 2023, as detailed in the Paubox HIPAA Breach Report for January 2024. The HSCC's strategic plan recognizes the acute vulnerabilities within the healthcare sector, exacerbated by the high volume of network server breaches. With over 21 million individuals' data compromised in the last five Decembers alone, the HIC-SP aims to address these vulnerabilities through comprehensive cybersecurity programs tailored to the healthcare industry's needs.

See also: HIPAA Compliant Email: The Definitive Guide

FAQs

What is the HSCC?

The HSCC is a coalition of private-sector healthcare infrastructure entities that partners with the government to identify and mitigate strategic threats and vulnerabilities to the healthcare sector's ability to deliver services and assets to the public.

What is a data breach?

A data breach is a security incident in which sensitive, protected, or confidential data is accessed, disclosed, or used without authorization.

What are network server breaches?

Network server breaches are cyberattacks where unauthorized access is gained to one or more network servers, leading to the potential compromise, encryption, or theft of data stored on those servers.