Healthcare , HIPAA/HITECH , Industry Specific

Updated Best Practice Playbook for Healthcare Cyberthreats

David Holtzman of HITprivacy LLC Discusses the Latest HHS Task Group Guidance
David Holtzman, principal, HITprivacy LLC

A recently updated guidance document developed by an advisory group to the Department of Health and Human Services can help all types of organizations within the healthcare sector be better prepared to deal with the latest cyberthreats, said attorney David Holtzman, principal of consulting firm HITprivacy LLC.

See Also: 2022 Unit 42 Incident Response Report

The Health Industry Cybersecurity Practices: Managing Threats and Protecting Patients - or HICP 2023 Edition, is a playbook containing details about the current top threats - such as ransomware and social engineering - and latest best practices to help healthcare sector organizations "best defend and recover from a cybersecurity incident," he said.

"HICP was written for the entire healthcare industry," and not just for HIPAA-regulated entities, Holtzman said. "Any organization that handles health information can benefit from using the best practices of HICP," he said.

Stakeholders from the government and private healthcare sector who are members of the HHS 405(d) Task Group, which advises HHS on cybersecurity issues, developed the original HICP document in 2019 and the updated version published in April. Holtzman is a member of the HHS 405(d) Task Group, which is a part of the larger Health Sector Coordinating Council that released HICP (see: HHS Publishes Guide to Cybersecurity Best Practices).

The updated HICP document also includes modified best practices that take into account issues such as medical devices connectivity, "which is a significant area of threat," he said.

In this video interview with Information Security Media Group at ISMG's Healthcare Security Summit in New York City, Holtzman also discussed:

  • Other important features in the updated HICP 2023 Edition;
  • The changing cyber insurance marketplace and its effect on healthcare organizations;
  • Other guidance materials under development by the HHS 405(d) Task Group.

Holtzman previously served on the health information privacy team at the Department of Health and Human Services' Office for Civil Rights and as a consultant at security and privacy consultancy CynergisTek. He has two decades of experience in developing, implementing and evaluating health information privacy and security compliance programs for both government and private sector organizations and is a member of the HHS 405(d) Task Group and the Joint Cybersecurity Working Group of the Healthcare Sector Coordinating Council.


About the Author

Marianne Kolbasuk McGee

Marianne Kolbasuk McGee

Executive Editor, HealthcareInfoSecurity, ISMG

McGee is executive editor of Information Security Media Group's HealthcareInfoSecurity.com media site. She has about 30 years of IT journalism experience, with a focus on healthcare information technology issues for more than 15 years. Before joining ISMG in 2012, she was a reporter at InformationWeek magazine and news site and played a lead role in the launch of InformationWeek's healthcare IT media site.




Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing careersinfosecurity.eu, you agree to our use of cookies.