Updated Best Practice Playbook for Healthcare CyberthreatsDavid Holtzman of HITprivacy LLC Discusses the Latest HHS Task Group Guidance
A recently updated guidance document developed by an advisory group to the Department of Health and Human Services can help all types of organizations within the healthcare sector be better prepared to deal with the latest cyberthreats, said attorney David Holtzman, principal of consulting firm HITprivacy LLC.
The Health Industry Cybersecurity Practices: Managing Threats and Protecting Patients - or HICP 2023 Edition, is a playbook containing details about the current top threats - such as ransomware and social engineering - and latest best practices to help healthcare sector organizations "best defend and recover from a cybersecurity incident," he said.
"HICP was written for the entire healthcare industry," and not just for HIPAA-regulated entities, Holtzman said. "Any organization that handles health information can benefit from using the best practices of HICP," he said.
Stakeholders from the government and private healthcare sector who are members of the HHS 405(d) Task Group, which advises HHS on cybersecurity issues, developed the original HICP document in 2019 and the updated version published in April. Holtzman is a member of the HHS 405(d) Task Group, which is a part of the larger Health Sector Coordinating Council that released HICP (see: HHS Publishes Guide to Cybersecurity Best Practices).
The updated HICP document also includes modified best practices that take into account issues such as medical devices connectivity, "which is a significant area of threat," he said.
In this video interview with Information Security Media Group at ISMG's Healthcare Security Summit in New York City, Holtzman also discussed:
- Other important features in the updated HICP 2023 Edition;
- The changing cyber insurance marketplace and its effect on healthcare organizations;
- Other guidance materials under development by the HHS 405(d) Task Group.
Holtzman previously served on the health information privacy team at the Department of Health and Human Services' Office for Civil Rights and as a consultant at security and privacy consultancy CynergisTek. He has two decades of experience in developing, implementing and evaluating health information privacy and security compliance programs for both government and private sector organizations and is a member of the HHS 405(d) Task Group and the Joint Cybersecurity Working Group of the Healthcare Sector Coordinating Council.