HHS Releases Health Industry Cybersecurity Guidance

HHS Releases Health Industry Cybersecurity Guidance

On December 28, 2018, the U.S. Department of Health and Human Services ("HHS") released a publication, Health Industry Cybersecurity Practices: Managing Threats and Protecting Patients (the "Cybersecurity Guidance").  While the Cybersecurity Guidance is clearly described as a voluntary document for the health care industry, it provides useful tips and best practices with respect to cybersecurity for small, medium and large-sized health care organizations.

​The Cybersecurity Guidance was created by a task group consisting of health care and cybersecurity experts from the public and private sectors in response to Section 405(d) (Aligning Health Care Industry Security Approaches) of the Cybersecurity Act of 2015.

The Cybersecurity Guidance is designed to achieve three core goals: (1) allow a range of health care organizations to cost-effectively reduce their cybersecurity risks; (2) support voluntary adoption and implementation of its recommendations; and (3) provide content that is "actionable, practical, and relevant" to health care entities of all sizes and resources on an ongoing basis.  The four-volume document includes: (1) the Main Document discussing current cybersecurity threats in the health care industry geared toward health care executives and decision makers; (2) the Technical Volume 1 geared toward IT professionals identifying 10 cybersecurity practices for small health care organizations; (3) the Technical Volume 2 intended for IT professionals in medium and large health care organizations; and (4) the Resources and Templates volume with resources to supplement the other three volumes.

The Main Document identifies five major cybersecurity threats facing the health care sector: (1) e-mail phishing attacks; (2) ransomware attacks; (3) loss or theft of equipment or data (4) insider, accidental or intentional data loss; and (5) attacks against connected medical devices with the potential to affect patient safety.  Potential vulnerabilities, organization impact, and best practices to consider are discussed in connection with each threat type.  The technical documents then contain 10 practices:  email protection systems; endpoint protection systems; access management; data protection and loss prevention; asset management; network management; vulnerability management; incident response; medical device security; and, cybersecurity policies, to assist organizations to mitigate each of these five threats.  The practice recommendations are designed to be consistent with the NIST Cybersecurity Framework, which consists of five continuous functions in the cybersecurity lifecycle of any organization: identify, protect, detect, respond and recover.

The Cybersecurity Guidance is available online.  While this is an important document and one that should be carefully reviewed by health care organizations, the Cybersecurity Guidance is not intended to be a new mandatory regulatory framework nor is it designed to ensure compliance with any particular data security law or regulatory scheme, such as HIPAA.

The Cybersecurity Guidance is relevant for health care organizations of all types (e.g., providers, payors, medical device manufacturers, and vendors) and sizes.  Cybersecurity issues have been pervasive and costly in the health care industry in recent years.  The Cybersecurity Guidance cites a study from IBM Security and the Ponemon Institute stating that the average cost of a data breach for health care organizations rose from $380 per record in 2017 to $408 per record in 2018, making the health care sector the industry with the highest cost for data breaches.  In addition to the financial costs, cybersecurity events have the potential to directly and negatively impact patient care.

Members of Saul Ewing Arnstein & Lehr’s Health Care Practice have extensive experience counseling health care industry clients on data privacy and security issues, including HIPAA and state laws, and assisting clients who experience a cybersecurity event.  For more information, contact the authors or the attorney at the Firm with whom you are regularly in contact.

View Document(s):