政府景观
政府机构的景观
在美国,联邦,州,地方,部落和领土层面有许多政府医疗机构遵守或执行网络安全政策和准则。
他们的网络安全角色分为几个广泛的类别:
- Securing Healthcare Delivery:为了确保医疗保健交付的网络安全,退伍军人管理/退伍军人卫生局(VA/VHA)等组织,国防/国防卫生局(DOD/DHA)以及健康与人类服务/印度卫生服务(HHS/IHS))和国立卫生研究院(HHS/NIH)依靠其母部提供集中的网络安全政策和管理。
- 确保医疗保健关键基础设施:通过HHS卫生部门网络安全协调中心(HHS/HC3)以及国土安全/网络安全和基础设施安全局(DHS/CISA)提供了向卫生部门的网络安全建议。
- Cybersecurity Preparedness and Response:HHS准备和响应助理部长办公室(ASPR)领导该国的医疗和公共卫生准备,对灾难和公共卫生紧急情况(包括网络安全事件)的准备,应对和恢复。
- 执法和情报共享:这FBI tracks ransomware actors, provides cybersecurity alerts, and investigates incidents. DHS/CISA also participates in threat intelligence sharing.
- 健康信息的隐私:HHS民权办公室(HHS/OCR)监管健康信息的隐私。健康信息隐私受HIPAA保护。
以下是相关联邦机构及其主要网络安全角色和职责的简短清单。
Enhances the health and well-being of all Americans, by providing effective health and human services and by fostering sound, sustained advances in the sciences underlying medicine, public health, and social services. HHS’s cybersecurity policy administration is coordinated by the Office of the CIO and each agency has its own CISO.
Health Sector Cybersecurity Coordination Center (HC3)
HC3是由卫生和公共服务部创建的,以帮助保护重要的,医疗保健相关的控制信息,并确保在整个卫生和公共卫生部门(HPH)中协调网络安全信息共享。
首席信息官办公室
As the leading collaboration center of the Office of the Chief Information Officer/Office of Information Security, the405(d) Aligning Health Care Industry Security Approaches Program专注于为HPH部门提供有用的有影响力的资源,产品和工具,以帮助提高认识并提供审查的网络安全实践,从而推动行为改变并朝着缓解最相关的网络安全威胁方面的一致性。405(d)程序的核心是其任务组成员。405(d)任务小组于2017年召集,由超过230多个信息安全官员,医疗专业人员,隐私专家和行业领导者组成。任务组成员有助于推动405(d)计划的各个方面,包括官方计划产品,宣传活动,参与和外展渠道。该计划下的基石出版物是Health Industry Cybersecurity Practices (HICP): Managing Threats and Protecting Patients。405(d)计划已发布专门针对勒索软件威胁的有用信息,包括Have Your Heard Awareness Campaign, and a discussion of勒索软件攻击和缓解措施作为其五个威胁系列的一部分。
准备和响应助理部长办公室(ASPR)
ASPR leads the nation’s medical and public health preparedness for, response to, and recovery from disasters and public health emergencies. ASPR collaborates with hospitals, healthcare coalitions, biotech firms, community members, state, local, tribal, and territorial governments, and other partners across the country to improve readiness and response capabilities. The ASPR Technical Resources, Assistance Center, and Information Exchange (TRACIE)医疗保健系统网络安全:准备和响应注意事项resource can help healthcare facilities, particularly hospitals, and the systems they may be a part of, understand the roles and responsibilities of stakeholders before, during, and after a cyber incident. Information within this document is specifically related to the effects of a cyber incident on the healthcare operational environment, specifically the ability to effectively care for patients and maintain business practices and readiness during such an event. While the focus of this document is on disruptions associated with a large-scale cyberattack, many strategies and principles outlined are relevant to a range of cybersecurity incidents and healthcare facilities.
医疗保险和医疗补助服务中心(CMS)
CMS结合了Medicare计划的监督,医疗补助计划的联邦部分和州儿童健康保险计划,健康保险市场以及相关质量保证活动。由于CMS的监督角色,它需要保护其资产和运营。因此,CMS具有广泛的cybersecurity policythat is managed by its CISO Office. CMS leverages the CMS Cybersecurity Integration Center (CCIC) as the central hub for network monitoring, information sharing, and incident response. The CCIC Incident Management Team (IMT) is responsible for notifying the Center for Medicare and Medicaid Enterprise Security Operation Center (CMS SOC), the Marketplace SOC, and the Health and Human Services Computer Security Incident Response Center (HHS CSIRC) of all security events and incidents.
FOOD AND DRUG ADMINISTRATION (FDA)
这Food and Drug Administration is responsible for protecting the public health by ensuring the safety, efficacy, and security of human and veterinary drugs, biological products, and medical devices. The FDA’s Center for Devices and Radiological Health works closely with several federal government agencies including the U.S. Department of Homeland Security (DHS), members of the private sector, medical device manufacturers, healthcare delivery organizations, security researchers, and end users to increase the security of the U.S. critical cyber infrastructure. Cybersecurity of medical devices falls under FDA’s regulatory purview. FDA provides医疗设备安全andcybersecurityguidance.
印度卫生服务(IHS)
IHS通过制定和管理满足其健康需求的计划,为美洲印第安人和阿拉斯加土著人提供全面的卫生服务。IHS基于HHS安全和隐私政策建立了代理机构范围内的信息安全政策。
国家健康信息技术协调员办公室(ONC)
ONC为开发和实施国家健康信息技术框架提供了顾问。它提供guidance for the privacy and security of health ITincluding电子健康信息。
民权办公室(OCR)
OCR负责执行HIPAA安全,隐私和违规通知规则。
VA运营着美国退伍军人卫生管理局(VHA)最大的综合医疗保健服务系统。VA采用强大的多方面企业网络安全策略(governance, program management, and risk management; operations, telecommunications, and network security; security architecture; application and software design; privacy; access control, identification, and authentication; cybersecurity training and human capital; and medical cyber) to ensure the security and resiliency of its IT infrastructure.
Defense Health Agency (DHA)
A joint, integrated Combat Support Agency that enables the Army, Navy, and Air Force medical services to provide a medically ready force and ready medical force to Combatant Commands in both peacetime and wartime. It is part of the broaderMilitary Health System(MHS)。这DHA网络安全部establishes and maintains the DHA Cybersecurity Program, which governs all IT under the authority, direction, and control of the Director, DHA, consistent with DoD cybersecurity policy, while balancing risk tolerance against mission objectives.
网络安全与基础设施安全局(CISA)
美国的风险顾问与合作伙伴合作捍卫当今威胁,并协作为未来建立更安全和弹性的基础设施。CISA提供网络安全工具,事件响应服务和评估功能,以保护合作伙伴部门和机构的基本运营,例如CISA ransomware resources。CISA还为我们国家的关键基础设施(包括卫生部门)提供网络安全服务。
国家标准技术研究所(NIST)
Promotes U.S. innovation and industrial competitiveness by advancing measurement science, standards, and technology in ways that enhance economic security and improve our quality of life. NIST operates theNational Cybersecurity Center of Excellence(NCCOE),为医疗保健部门, including detailed practice guides for ransomware.
联邦调查局(FBI)
国家安全组织既有情报和执法职责。联邦调查局提供网络安全公告勒索软件并进行刑事调查。