HITRUST Statement Regarding Health Industry Cybersecurity Practices: Managing Threats and Protecting Patients
As many of you already know, in late December, the Department of Health and Human Services released voluntary cybersecurity practices to the healthcare industry. The “Health Industry Cybersecurity Practices: Managing Threats and Protecting Patients” publication aims to provide guidance to healthcare organizations of all types and complexity.
This industry-led effort was in response to a mandate set forth by the Cybersecurity Act of 2015, Section 405(d), to develop a voluntary set of practical cybersecurity guidelines to cost-effectively reduce cybersecurity risks for the healthcare industry.
HITRUST was pleased to join HHS and others in participating in the development of the new guidelines through the Healthcare and Public Health Sector Coordinating Council and welcome its publication.
While not as comprehensive as a controls-based risk management framework, like the HITRUST CSF, the HICP is now another reference tool that healthcare organizations can use to protect sensitive information, raise cybersecurity awareness and move organizations toward meaningful cybersecurity objectives and outcomes. This guidance also helps showcase the importance of a coordinated approach to cybersecurity in the healthcare industry.
The security control concepts and most of the practice recommendations in the HICP are already incorporated into the HITRUST CSF and anticipate the HICP will be formally integrated as an authoritative source and available for selection as a targeted assessment in MyCSF with the release of CSF v10 later this year. We are also reviewing to determine if any of the requirements, not currently required for HITRUST CSF Certification should be considered.
Date: January 15, 2019