Additional Requirement 39: Cybersecurity Requirements

At a glance

See below for requirements related to cybersecurity requirements.

Overview

Pursuant to the Cybersecurity Act of 2015, Div. N, § 405, Pub. Law 114-113, 6 USC § 1533(d), the Secretary of the Department of Health and Human Services (HHS) has established a common set of voluntary, consensus-based, and industry-led guidelines, best practices, methodologies, procedures, and processes.

These:

  • serve as a resource for cost-effectively reducing cybersecurity risks for a range of health care organizations;
  • support voluntary adoption and implementation efforts to improve safeguards to address cybersecurity threats;
  • are consistent with—
    • the standards, guidelines, best practices, methodologies, procedures, and processes developed by the National Institute of Standards and Technology;
    • the security and privacy regulations promulgated under the Health Insurance Portability and Accountability Act of 1996 (HIPAA); and
    • the provisions of the Health Information Technology for Economic and Clinical Health (HITECH) Act;
  • are updated on a regular basis and applicable to a range of health care organizations.

When award funding involves both of the following, recipients shall develop plans and procedures, modeled after the NIST Cybersecurity framework, to protect HHS and its Division (such as the Centers for Disease Control and Prevention) systems and data.

  • Recipients, subrecipients, or third-party entities have ongoing and consistent access to HHS owned or operated information or operational technology systems; and
  • Recipients, subrecipients, or third-party entities receive, maintain, transmit, store, access, exchange, process, or utilize personal identifiable information (PII) or personal health information (PHI) obtained from the awarding HHS agency for the purposes of executing the award.

Where both bullets above exist, Recipients must develop cybersecurity plans and procedures. These cybersecurity plans and procedures must at minimum include the following:

Develop cybersecurity plans and procedures, modeled after the NIST Cybersecurity framework, to protect HHS systems and data:

  • Identify:
    • Develop an inventory of all assets and accounts with access to HHS owned and operated information or operational technology systems or which obtain PII or PHI for the purposes of the award.
  • Protect:
    • Limit access to HHS owned and operated systems to only those in need of access to complete reward activities. Require all staff to complete annual cybersecurity and privacy awareness training. Visit 405(d): Knowledge on Demand (hhs.gov) to obtain free trainings, if needed.
    • Enable multifactor authentication for all employees, subrecipients, and third party entities to access HHS owned and operated information or operational technology systems.
    • Regularly backup sensitive data and test backups.
  • Detect:
    • Install anti-virus or anti-malware software on all devices, servers, and accounts used to connect to HHS owned and operated systems.
  • Respond:
    • Develop an incident response plan. See Incident-Response-Plan-Basics_508c.pdf (cisa.gov) to learn about developing incident response plans.
    • Have cybersecurity incident reporting procedures that ensure the relevant HHS awarding agencies are notified of a cybersecurity incident within 48 hours of discovery. A cybersecurity incident is defined as an unplanned interruption to a technology service or reduction in the quality of a technology service, or an occurrence that actually or potentially jeopardizes the confidentiality, integrity, or availability of an information system or the information the system processes, stores, or transmits.
  • Recover:
    • Investigate incidents and plug any security gaps identified.

Related Material