HHS releases free online cybersecurity training, best practice reports for healthcare

The U.S. Department of Health and Human Services (HHS) has released several new informational resources for healthcare organizations to beef up on cybersecurity, including no-cost awareness training programs for healthcare employees.

Announced Monday, the new resources comprise an online education and training platform called Knowledge on Demand and a pair of reports that outline sectorwide best practices and characterize hospitals’ current level of cybersecurity preparedness.  

“These efforts are a key part of the administration’s work to secure all of our nation’s critical infrastructure from cyber threats,” HHS wrote in a release.

Knowledge on Demand’s free virtual trainings are a first for the department. The platform includes videos, job aids and PowerPoint presentations that are all accessible through HHS’ 405(d) Program website and are broken down into five focus areas: social engineering, ransomware, loss or theft of equipment or data, accidental or malicious data loss and attacks against network-connected medical devices.

“Cyber attacks are one of the biggest threats facing our healthcare system today, and the best defense is prevention,” Deputy Secretary Andrea Palm said in a release. “These trainings will serve as an asset to any sized organization looking to train staff in basic cybersecurity awareness and are offered free of charge, ensuring that those hospitals and health care organizations most vulnerable to attack can take steps toward resilience.”

Also hosted on the program’s webpage is the Health Industry Cybersecurity Practices (HICP) 2023 Edition report. The publication offers healthcare cybersecurity guidelines, practices, methodologies, procedures and processes developed with the contributions of industry and federal professionals.

Of note, the report's latest edition digs deeper into social engineering attacks as a top five threat against the healthcare sector.

“HICP 2023 is the updated version that our industry needs to make sure they are applying scarce resources to the highest threat,” Erik Decker, Intermountain Health’s chief information security officer and chair of the Health Sector Coordinating Council Cybersecurity Working Group, said in a release. “This will give the most underserved hospitals the best return on investment for cyber investment.”

Finally, HHS also released its Hospital Cyber Resiliency Initiative Landscape Analysis (PDF). The 55-page report includes an up-to-date benchmark of hundreds of participating hospitals’ cybersecurity preparedness against standardized guidelines—for instance, the National Institute of Standards and Technology Cybersecurity Framework or the accompanying HICP 2023.

The analysis “greatly furthers our understanding of hospital cyber resiliency and provides us with a platform to begin working through potential policy considerations and minimum standards to better support cybersecurity in U.S. hospitals,” Palm said.

The new resources were developed by HHS’ 405(d) Program—the department’s public-private collaboration on healthcare cybersecurity—alongside the Health Sector Coordinating Council Cybersecurity Working Group.

The new materials from HHS aim to support the industry as malicious attacks are forcing hospitals and other healthcare organizations onto the back foot.

A recent JAMA Health Forum study found that ransomware attacks against healthcare organizations had doubled from 2016 to 2021. A 2022 report from IBM estimated the average breach ran healthcare organizations $9.23 million in 2021.