The U.S. Department of Health and Human Services (“HHS”) recently released a publication entitled “Health Industry Cybersecurity Practices: Managing Threats and Protecting Patients,” which sets forth a “common set of voluntary, consensus-based, and industry-led guidelines, best practices, methodologies, procedures, and processes” to improve cybersecurity in the health care and public health sector. This publication was developed by a task group consisting of more than 150 health care and cybersecurity experts from the public and private sectors and focuses upon the “five most prevalent cybersecurity threats and the ten cybersecurity practices to significantly move the needle for a broad range of organizations” in the health care industry.

The five cybersecurity threats addressed in the publication are: (i) e-mail phishing attacks; (ii) ransomware attacks; (iii) loss or theft of equipment or data; (iv) insider, accidental or intentional data loss; and (v) attacks against connected medical devices that may affect patient safety.

The publication recognizes that cybersecurity recommendations will largely depend upon an organization’s size. Therefore, the publication is broken up into two separate technical volumes that are intended for IT and IT security professionals: (i) Technical Volume 1, which discusses ten cybersecurity practices for small health care organizations and (ii) Technical Volume 2, which discusses ten cybersecurity practices for medium-sized and large health care organizations. Specifically, the ten cybersecurity practices described in the Technical Volumes are as follows:

  • e-mail protection systems
  • endpoint protection systems
  • access management
  • data protection and loss prevention
  • asset management
  • network management
  • vulnerability management
  • incident response
  • medical device security
  • cybersecurity policies

These guidelines are not new frameworks, but rather consist of practice recommendations that are consistent with the NIST Cybersecurity Framework.

The HHS publication is available here.

Our take

A study issued by IBM Security and the Ponemon Institute reports that the cost of a data breach for health care organizations has risen from $380 per breached record in 2017 to $408 per record in 2018. The costs of a data breach can be crippling to an organization of any size; however, according to this recent HHS publication, many small businesses do not recover from a malware attack with 60% of small businesses going out of business within six months of an attack. Health care organizations should review the HHS guidelines and work to implement the practice recommendations to the extent possible.