On December 28, 2018, the U.S. Department of Health and Human Services (HHS) released “Health Industry Cybersecurity Practices: Managing Threats and Protecting Patients,” a detailed set of voluntary guidelines illustrating best practices that healthcare providers may employ to combat five common and significant cyber risks. Those risks are: (1) phishing; (2) ransomware; (3) loss or theft of equipment or data; (4) insider, accidental, or intentional data loss; and (5) attacks against Internet of Things medical devices. The four-volume publication aims to provide voluntary cybersecurity practices to healthcare organizations of all types and sizes, ranging from local clinics to large hospital systems.
The Guidelines are the result of a two-year effort involving over 150 cybersecurity and healthcare experts from private industry and the government under the Healthcare and Public Health Sector Critical Infrastructure Security and Resilience Public-Private Partnership. The Guidelines highlight system vulnerabilities, potential impacts, and recommended best practices for each cyber risk. They also highlight 10 practices, along with approximately 88 “sub-practices,” that healthcare providers may employ in cybersecurity programs to better mitigate against the risks of the identified threats. Those practices are:
- E-mail protection systems
- Endpoint protection systems
- Access management
- Data protection and loss prevention
- Asset management
- Network management
- Vulnerability management
- Incident response
- Medical device security
- Cybersecurity policies
The Resources and Templates volume accompanying the Guidelines provides an evaluation methodology to assist companies to identify which sub-practices would work best to address identified cybersecurity threats. The Guidelines’ two additional Technical Volumes discuss recommendations for implementing recommended cybersecurity practices and sub-practices for small, medium, and large-sized companies. All three volumes also provide charts for mapping the sub-practices within the National Institute of Standards and Technology Cybersecurity Framework. The Technical Volumes are written for healthcare providers’ IT or IT security professionals, and to guide organizations as to what to ask of their IT professionals and vendors. The Resources and Templates volume serves as a supplement for both the Guidelines and the Technical Volumes.
Finally, HHS states that the Guidelines are intended to provide a starting point for cybersecurity practices, with goals of achieving a cost-effective reduction of cyber risks, providing further support for voluntary adoption and implementation of the Guidelines’ recommendations, and providing actionable recommendations to healthcare providers of every size and resource level. However, although the Guidelines are voluntary, there is some concern that they will be used to measure reasonable duties of care in data breach litigation, or may be used to audit healthcare providers by regulators.
If you have any questions or would like to further information, please contact Joshua Mooney (firstname.lastname@example.org; 215.864.6345) or Sedgwick Jeanite (email@example.com; 212.631.4413).