Center for Disease control and Prevention (CDC)
Healthcare organization and hospital computer systems can be attacked by hackers to steal or manipulate patients' financial or medical records or other information, and then be used for criminal activity or to create disorder and generate fear. Cyber attacks threaten healthcare organizations and hospitals' information technology (IT), its underlying security measures, and their employees' ability to care for patients and respond to emergencies. Risks can include the loss of patient information, disruption of care because of software unavailability, loss of confidence in providers because of the perception of inadequate security, power outages, destruction of generators, and risks to the operational integrity of personal medical devices (e.g., implantable cardioverter defibrillators, pacemakers, insulin pumps). In recent years, healthcare organizations and hospitals have increased the use of wireless, personal medical devices and network connections, which places these devices at risk for privacy and security breaches. For example, these wireless devices and network connections can be enabled and modified remotely.
Ensuring cybersecurity requires coordinated efforts throughout an IT system. To deal with the current environment, advisory organizations are promoting a more proactive and adaptive approach. The National Institute of Standards and Technology (NIST), for example, recently issued updated guidelines in its risk assessment framework that recommended a shift toward continuous monitoring and real-time assessments.
Healthcare organizations and hospitals can prepare for cyber breaches or attacks by implementing measures to secure important systems that have the potential to be threatened. Cybersecurity preparedness involves adequate planning and implementation of a response process, which includes continuous research on and incorporation of lessons learned from:
To assist stakeholders within the healthcare community, the Centers for Disease Control and Prevention (CDC) Office of Public Health Preparedness and Response (OPHPR) developed this Healthcare Organization and Hospital Discussion Guide for Cybersecurity (hereafter referred to as Cybersecurity Discussion Guide) to support and enhance healthcare organizations and hospitals with addressing cybersecurity. Specifically, this document is intended for personnel whose job responsibilities include cybersecurity preparedness and response planning.
The Cybersecurity Discussion Guide focuses on one method (i.e., conducting a discussion-based exercise) to enhance cybersecurity preparedness as part of the threat landscape considered in the creation of an Information System Contingency Plan (ISCP). The guide can be downloaded using the following link.
Link: https://www.cdc.gov/phpr/healthcare/documents/healthcare-organization-and-hospital-cyber-discussion-guide.pdf