It’s fitting that for episode 405 we talk with Erik Decker, lead on the HHS 405d Task Group, about the recently released Health Industry Cybersecurity Practices: Managing Threats and Protecting Patients (HICP) 2023 edition. Since David and I are also on the 405d task group, we are excited to talk about the new updates and added resources FREELY available to help everyone prepare and fight against cybersecurity threats.
In this episode:
405d Erik Decker Joins Us for Ep 405
Today’s Episode is brought to you by:
Kardon
and
HIPAA for MSPs with Security First IT
Subscribe on Apple Podcast. Share us on Social Media. Rate us wherever you find the opportunity.
Great idea! Share Help Me With HIPAA with one person this week!
Learn about offerings from the Kardon Club
and HIPAA for MSPs!
Thanks to our donors. We appreciate your support!
If you would like to donate to the cause you can do that at HelpMeWithHIPAA.com
Like us and leave a review on our Facebook page: www.Facebook.com/HelpMeWithHIPAA
If you see a couple of numbers on the left side you can click that and go directly to that part of the audio. Get the best of both worlds from the show notes to the audio and back!
Thanks to our donors.
All things 405d in 2023
[02:46] Erik Decker is the Chairman of the Health Sector Coordinating Council Joint Cybersecurity Working Group and the lead of the 405d Task Group that recently released new updates and resources for the Health Industry Cybersecurity Practices: Managing Threats and Protecting Patients (HICP). His day job consists of being the Vice President & Chief Information Security Officer, Intermountain Healthcare.Baldrige Foundation Announces 2023 Leadership Award Recipients
Erik was also recently awarded the Baldrige Foundation Award for Leadership Excellence in Cybersecurity. Congratulations, Erik! Well deserved!
[10:58]HICP 2023
- Made incremental updates and changes to the phishing threat. It is now called social engineering and includes various types of social engineering threats.
- Overall, not much has changed with the practices themselves, which shows that good cyber hygiene is pretty persistent.
- Network Connected Medical Devices (Practice #9) had a pretty significant rewrite with a lot more in depth discussion and guidance on how to go about actually achieving some of those practices.
- Cybersecurity Policies (Practice #10) is not called Cybersecurity Oversight and Governance. There’s risk assessment, policies and cyber insurance guidance in there now. It provides guidance on how to actually go about trying to achieve that.
- [17:13] Hospital Resiliency Landscape Analysis. This analysis was an effort driven by the sector and government trying to diagnose what the problem set is for hospitals specifically in the United States. The analysis covered not only data security issues but also the damage that can be done to the operational resiliency of a hospital. Now, HHS is going to take that and figure out what they can do within their authorities and remits to incentivize and stimulate this area of healthcare to make some significant updates and changes.
- [39:13] 405d Knowledge of Demand. Series of package content that anyone can take and deploy in their organizations, including:
- Interactive videos that include audio, knowledge checks and animations.
- SCORM content that can be downloaded and imported into a Learning Management System (LMS) that has a similar look and experience as the interactive videos.
- Job aids which are single documents with key tips related to the 5 HICP cybersecurity threats.
- Powerpoint presentations that can be used for in-person or on-site presentations. These also include presenter notes and knowledge checks to reinforce learning.
- Side Bar: the Health Sector Coordinating Counsel has also released a free Cybersecurity Training Video Series for clinicians, professionals and students. These professional videos for clinicians, made by clinicians and you can receive CME and CEU credit for them. They are also available to download in SCORM format for importing to a LMS.
- Other resources in the works are:
- A publication on cybersecurity as a component of enterprise risk management discussing how to connect cyber as enterprise risk and not just technical cyber risk.
- A publication, called OCCI, that will essentially cover the first 24 hours of a large-scale event. How to actually pull your emergency management team and response teams together and what that structure looks like… geared towards business continuity because of a cyber event.
- And a large full scale incident response plan for cyber events and disruptions.
We want folks to stay involved, stay engaged, and we definitely need the help particularly in the small and medium market. We need folks that work in the offices to be part of this. Regardless of your size of organization, It is really about having a voice at the table, because we need more of that. So, please consider volunteering your time to assist in the development of making cybersecurity changes in healthcare.
Remember to follow us and share us on your favorite social media site. Rate us on your podcasting apps, we need your help to keep spreading the word. As always, send in your questions and ideas!
HIPAA is not about compliance,
it’s about patient care.TM
Special thanks to our sponsors Security First IT and Kardon.