WRAP-EM Cybersecurity Fact Sheet
The COVID-19 pandemic has led to a significant rise in telemedicine usage across healthcare organizations nationwide. This surge in digital care has also brought about increased challenges in securing patient data. WRAP-EM has highlighted cybersecurity as a crucial element in providing safe and effective virtual healthcare services. In response, the United States Department of Health and Human Services (HHS) 405(d) Task Group has released specific cybersecurity guidelines for healthcare settings.
WRAP-EM Cybersecurity Fact Sheet 

HHS Letter to Healthcare Providers in Response to the Change Healthcare Cyberattack and Resources for Providers​
HHS Deputy Secretary Palm, ASPR Administrator and Assistant Secretary O’Connell, and Centers for Medicare & Medicaid Services Administrator Brooks-LaSure published a letter addressing the continued impact of the Change Healthcare cyberattack, which also includes an appendix of resources from payers to share with health care providers.

Health Sector Coordinating Council Publishes Health Industry Cybersecurity Strategic Plan
The Healthcare and Public Health (HPH) Sector Coordinating Council (HSCC) Cybersecurity Working Group (CWG) recently published the ​2024-2029 Health Industry Cybersecurity Strategic Plan. This plan serves as a call to action for health care organizations to implement foundational cybersecurity programs that address the operational, technological, and governance challenges posed by significant health care industry trends over the next five years.

Cybersecurity: Health Sector Publishes Guide for Coordinating Privacy and Security Partnerships
On February 16, the Healthcare and Public Health Sector Coordinating Council (HSCC) Cybersecurity Working Group published a guide for health providers and companies to coordinate privacy and cybersecurity functions for improved overall compliance and operational efficiencies and effectiveness. It is found here: healthsectorcouncil.org.
Cyersecurity Guide for Health Providers and Company

​Cybersecurity: HHS’ Office for Civil Rights Settles Second Ever Ransomware Cyber-Attack
The U.S. Department of Health and Human Services (HHS), Office for Civil Rights (OCR), announced the second ever settlement under the Health Insurance Portability and Accountability Act of 1996 (HIPAA) following a ransomware attack that affected the protected health information of more than 14,000 individuals. Ransomware and hacking are the primary cyber-threats in health care. Over the past five years, there has been a 256% increase in large breaches reported to OCR involving hacking and a 264% increase in ransomware. In 2023, hacking accounted for 79% of the large breaches reported to OCR. The large breaches reported in 2023 affected over 134 million individuals, a 141% increase from 2022.
Read the Full Press Release from the HHS

​Cybersecurity: Joint Cybersecurity Advisory Recommends Action to Defend Ivanti VPN Gateways from Compromise
U.S. and international agencies urged health care and other critical infrastructure organizations using Ivanti Connect Secure VPN and Ivanti Policy Secure to take certain steps to defend against known cyber threats that Ivanti’s Integrity Checker Tool may fail to detect.
Read the full Joint Cybersecurity Advisory.


​American Medical Association (AMA): Recent Cyber Attacks, Ransomware Trends, and Cybersecurity Threats for Doctors
The latest episode of the AMA Update podcast discusses what is cybersecurity in the health care industry, how common ransomware attacks are on hospitals, and how artificial intelligence is used in cyber security. 
Listen to the full podcast episode from AMA.

​HHS Pushes Better Cybersecurity Across the Health Sector
Between constant ransomware and medical device software scares, the health care sector has become a scary place for cybersecurity. Now the Department of Health and Human Services (HHS) is asking organizations in the health care sector to adopt what it calls “high-impact cybersecurity practices.” For details, the Federal Drive with Tom spoke with Brian Mazanec, HHS Deputy Assistant Secretary and Director of the Office of Security, Intelligence, and Information Management. Read more of the interview here.            

NIST SP 800-66 Rev.2: Implementing the Health Insurance Portability and Accountability Act (HIPAA) Security Rule: A Cybersecurity Resource Guide
NIST published the final version of Special Publication (SP) 800-66r2 (Revision 2), Implementing the Health Insurance Portability and Accountability Act (HIPAA) Security Rule: A Cybersecurity Resource Guide. This publication, revised in collaboration with the U.S. Department of Health and Human Services (HHS) Office for Civil Rights, provides guidance for regulated entities (i.e., HIPAA-covered entities and business associates) on assessing and managing risks to electronic Protected Health Information (ePHI), identifies typical activities that a regulated entity might consider implementing as part of an information security program, and presents guidance that regulated entities can utilize in whole or in part to help improve their cybersecurity posture and assist with achieving compliance with the HIPAA Security Rule. 

New Volunteer Cybersecurity Performance Goals and Online Resources
The U.S. Department of Health and Human Services (HHS), through the Administration for Strategic Preparedness and Response (ASPR), released voluntary health care specific cybersecurity performance goals (CPGs) and a new gateway website to help Health Care and Public Health (HPH) sector organizations implement these high-impact cybersecurity practices and ease access to the plethora of cybersecurity resources HHS and other federal partners offer. 


As outlined in the recent HHS Health Care Sector Cybersecurity concept paper, HHS is publishing the CPGs to help health care organizations, and health care delivery organizations in particular, prioritize implementation of high-impact cybersecurity practices. The HPH CPGs are designed to better protect the healthcare sector from cyberattacks, improve response when events occur, and minimize residual risk. HPH CPGs include both essential goals to outline minimum foundational practices for cybersecurity performance and enhanced goals to encourage adoption of more advanced practices. 
​

It is encouraged to amplify this announcement. More information on these CPGs and HHS cybersecurity work can be found here. 



​Healthcare and Public Health Sector Cybersecurity Special Bulletin
January 26, 2024
 
HHS Releases New Voluntary Performance Goals to Enhance Cybersecurity Across the Health Sector and Gateway for Cybersecurity Resources
On Wednesday January 24th, the U.S. Department of Health and Human Services (HHS), through the Administration for Strategic Preparedness and Response (ASPR), released voluntary health care specific cybersecurity performance goals (CPGs) and a new  gateway website to help Health Care and Public Health (HPH) sector organizations implement these high-impact cybersecurity practices and ease access to the plethora of cybersecurity resources HHS and other federal partners offer.

“We have a responsibility to help our health care system weather cyber threats, adapt to the evolving threat landscape, and build a more resilient sector,” said HHS Deputy Secretary Andrea Palm. “The release of these cybersecurity performance goals is a step forward for the sector as we look to propose new enforceable cybersecurity standards across HHS policies and programs that are informed by these CPGs.”

As outlined in the recent HHS Health Care Sector Cybersecurity concept paper, HHS is publishing the  CPGs to help health care organizations, and health care delivery organizations in particular, prioritize implementation of high-impact cybersecurity practices. The HPH CPGs are designed to better protect the healthcare sector from cyberattacks, improve response when events occur, and minimize residual risk. HPH CPGs include both essential goals to outline minimum foundational practices for cybersecurity performance and enhanced goals to encourage adoption of more advanced practices.

“ASPR is leading this sector-wide effort to protect our nation’s health infrastructure against ever-increasing and complex cyber-attacks,” said Assistant Secretary for Preparedness and Response Dawn O’Connell. “The actions announced today make it easier for health care organizations to protect patients by prioritizing those key cybersecurity practices upon which they should focus their efforts.” 

The HPH CPGs provide layered protection at different points of weakness in an organization’s technology environment, which is crucial to increase cyber resilience and ultimately protect patient safety. Layered defense provides redundancy so if one line of defense is compromised, additional layers exist as a backup to ensure that threats are stopped along the way. 

Both the essential and enhanced goals were informed by common industry cybersecurity frameworks, best practices, and strategies (e.g., Health Industry Cybersecurity Practices, NIST Cybersecurity Framework, and the National Cybersecurity Strategy and Implementation Plan), and are designed to directly address common attack vectors against U.S. domestic hospitals as identified in the 2023  Hospital Cyber Resiliency Landscape Analysis . As an example, according to the Landscape Analysis, 80% of cyber-attacks are identity-based (e.g., social engineering), compromising legitimate credentials to move laterally within organizations. Several essential CPGs including implementing basic cybersecurity training, implementing email security measures, and revoking credentials for departing workforce members are relatively lower cost, high yield actions to protect organizations from identity-based attacks. The more intensive enhanced goals like network segmentation prevent threat actors from moving laterally within organizations when they are compromised.

The Critical Connection: Public Health Infrastructure and Cybersecurity
January 10, 2024
On Wednesday, January 10, 2024 from 1:00-2:00 p.m. a webinar will be held with speakers highlighting forward-thinking strategies designed to empower participants to prepare for and navigate future cybersecurity challenges.

Connection Information

Cyber Alert! ALPHV BlackCat Ransomware Advisory
On Tuesday December 19, the US Justice Department announced that it has seized websites of the second most prolific ransomware-as-a-service (RaaS) operation, BlackCat, also called ALPHV or Noberus. Today, ALPHV/BlackCat announced that its ransomware as a service (RaaS) criminal syndicate affiliates could now target critical infrastructures such as nuclear power plants, hospitals in US in response. The Federal Bureau of Investigation (FBI) and the Department of Homeland Security (DHS) Cybersecurity and Infrastructure Security Agency (CISA) have released a Joint CSA to disseminate known indicators of compromise (IOCs) and Tactics, Techniques, and Procedures (TTPs) associated with the ALPHV Blackcat RaaS identified through FBI investigations as recently as December 6, 2023.  This advisory provides updates to the FBI FLASH BlackCat/ALPHV Ransomware IOC released April 19, 2022. Since previous reporting, ALPHV Blackcat actors released a new version of the malware, and the FBI identified over 1000 victims worldwide targeted via ransomware and/or data extortion. FBI and CISA encourage critical infrastructure organizations to implement the recommendations in the Mitigations section of the CSA to reduce the likelihood and impact of ALPHV Blackcat ransomware and data extortion incidents.

HHS Announces Next Steps in Ongoing Work to Enhance Cybersecurity for Healthcare and Public Health Sectors​
The U.S. Department of Health and Human Services (HHS) released a concept paper that outlines the Department’s cybersecurity strategy for the healthcare sector. The concept paper builds on the National Cybersecurity Strategy that President Biden released last year, focusing specifically on strengthening resilience for hospitals, patients, and communities threatened by cyber-attacks. The paper details four pillars for action, including publishing new voluntary healthcare-specific cybersecurity performance goals, working with Congress to develop supports and incentives for domestic hospitals to improve cybersecurity, and increasing accountability and coordination within the healthcare sector.
Full Press Release

Immediate Bed Availability Guidelines and Toolkit Published to the MIHAN
Hospital Preparedness Program (HPP) staff have been working diligently to get documents completed and posted to the MIHAN. Most recently, the Immediate Bed Availability Decompression Strategy Guidelines and Toolkit was completed and posted. To find this document and many other new documents, log into the MIHAN and go to: Documents – Resource Sharing – Operational Guidelines/Plans/Document.
NOTE: If you don’t have access to the MIHAN and would like a copy of the Immediate Bed Availability Decompression Strategy Guidelines and Toolkit, click on the picture to the right or contact Lauren Korte at [email protected].
​
content.govdelivery.com/attachments/MIDHHS/2023/12/14/file_attachments/2718366/2023.12.13_IBA%20Guidelines%20Document%20v5.0.pdf



Latest Hospital Cyberattack Shows How Health Care Systems' Vulnerability Can Put Patients at Risk
Annie Wolf's open-heart surgery was just two days away when the Hillcrest Medical Center in Tulsa, Oklahoma, called, informing her that her procedure had been postponed after a major ransomware attack.  "I've got a hole in my mitral valve, and basically walking around, I can't breathe," Wolf told CBS News. "And I get very fatigued, very tired, very quickly. If I go to the store, I've got to ride the scooter." Wolf is just one of the patients impacted after Ardent Health Services says it became aware of the cyber breach on Thanksgiving Day affecting 30 hospitals and more than 200 health care sites across six states.

In a statement, Ardent said it immediately began safeguarding confidential patient data, and protectively took its computer network offline, which required some facilities, including two in New Jersey, to divert ambulances to nearby medical centers. Ardent said that "in an abundance of caution, our facilities are rescheduling some non-emergent, elective procedures and diverting some emergency room patients to other area hospitals." Ardent has not announced a timeline for when the issue could be resolved. According to the Institute for Security and Technology, at least 299 hospitals have suffered ransomware attacks in 2023.  
Learn More on Cyberattach Impacts

FEMA's Continuous Improvement Technical Assistance Program’s (CITAP)
FEMA's Continuous Improvement Technical Assistance Program’s (CITAP) has several new resources to support after-action reporting (AAR) efforts. Exercises should include child considerations so that pediatric disaster ready improvement in AAR can be monitored. 
​
Guidance Overview Video: FEMA recently released a short overview video on the National Continuous Improvement Guidance. The video summarizes the purpose of the guidance and its content. To watch the video, visit the Continuous Improvement Training playlist on FEMA’s YouTube channel. FEMA plans to release additional short training videos on continuous improvement topics in the future. Updated templates and resources available on the CITAP Preparedness Toolkit (PrepToolkit) website and upcoming events and trainings focused on continuous improvement.    FEMA's PrepToolkit
​

ASPR Launches New Health Care and Public Health Cybersecurity Website
The Administration for Strategic Preparedness and Response (ASPR) has launched a new website with cybersecurity resources and information for health care and public health entities. The website contains links to tools and resources, links to trainings, webinars and other educational materials, and updated news. Learn more and view the new ASPR cybersecurity website.


CISA Tabletop Exercise Package Healthcare and Public Sector
The Healthcare and Public Health (HPH) CISA Tabletop Exercise Package (CTEP) is a tabletop exercise-in-a-box intended to be used by members of the HPH Sector to increase their cyber resilience. This CTEP allows organizations to customize an exercise to fit their needs by modifying its scenario and discussion questions. The CTEP will bring participants through a series of scenario injects including a phishing email, third-party vendor issues, operational hospital impacts, a ransomware attack, and more. Stakeholders utilizing the CTEP can download the situation manual at Cybersecurity Scenarios | CISA and find other resources to assist in the planning/facilitating of the exercise and the post-exercise products at CTEP Package Documents | CISA. At the bottom of the document both planners and participants will find example case studies relevant to the exercise, increasing its authenticity, as well as threat descriptions and resources. Learn more here.