The Healthcare and Public Health (HPH) sector continues to experience an array of increasingly sophisticated and pervasive cyberattacks. Cyberattacks directed at hospitals can impact patient care by forcing providers to go offline, impacting access to medical records and appointment systems; causing patient diversion to other facilities; and affecting delivery of care, including cancellation and delay of treatments and procedures. Cyberattacks against the HPH sector are growing both in numbers and severity, with the frequency of cyberattacks on hospitals and health systems more than doubling from 2016 to 2021.[1]
ASPR is responsible for many aspects of our country’s preparedness and response infrastructure, including activities related to cyberattacks. As the HPH sector’s designated Sector Risk Management Agency (SRMA), ASPR leads the Department of Health and Human Services’ (HHS) efforts to manage and assess sector risk, facilitate information sharing, support and lead incident management and response, and coordinate between public and private sector partners. ASPR carries out this SRMA function through its Office of Critical Infrastructure Protection within the Office of Preparedness.
ASPR takes this role seriously and continues to build its cyber infrastructure by, for example, investing in staffing and developing technologies to optimize cyber incident tracking. We recently released version 2.0 of the Risk Identification and Site Criticality toolkit, a comprehensive, objective, data-driven all-hazards assessment tool. This tool can be used by our private sector partners to assess their potential vulnerabilities, including cyber, and provides ASPR with anonymous aggregate data which helps inform how we prioritize and allocate resources.
ASPR coordinates regularly with our colleagues across as well as beyond HHS. Working as a team, HHS agencies and divisions bring together their unique cybersecurity perspectives, expertise, and authorities as a single collaborative effort to assist the HPH sector with activities, tools, information, and support. For example, we help disseminate the Health Industry Cybersecurity Practices (HICP) document developed by the HHS 405(d) program in partnership with the sector. We have recently released an infographic that describes the ASPR SRMA function and how it facilitates this whole of HHS approach to cyber threats and a toolkit of resources for our partners.
As cyber threats continue to grow and evolve, ASPR remains committed to executing its SRMA responsibilities to prepare for and respond to cyber threats in the HPH sector.
1JAMA Health Forum. 2022;3(12):e224873. doi:10.1001/jamahealthforum.2022.4873
