The US Department of Health and Human Services (HHS) Office of the Assistant Secretary for Preparedness and Response (ASPR) held a workshop this week to commence the development of the cybersecurity guidance for the healthcare and public health sector that was required as part of Section 405(d) of the Cybersecurity Act of 2015 (PL 114-113).
The law states that HHS is to develop a common set of voluntary, consensus-based, and industry-led guidelines, best practices, methodologies, procedures, and processes that serve as a resource for cost-effectively reducing cybersecurity risks for a range of health care organizations. In addition, this guidance should support voluntary adoption and implementation efforts to improve safeguards to address cybersecurity threats.
The first step undertaken by HHS at this week’s workshop was developing a prioritized list of assets (people, processes, technologies, and data) that are essential for the successful performance of healthcare operations.
HHS is planning subsequent workshops this summer to address additional issues and inform the process to develop a guidance document.
It is important to note that Sec 405 of the Cybersecurity Act of 2015 was developed by the Senate HELP Committee based on recommendations in HIMSS’2015 Congressional Asks.