HHS Publishes Guidance on Health Industry Cybersecurity Practices

The U.S. Department of Health and Human Services (“HHS”) recently published guidance entitled “Health Industry Cybersecurity Practices: Managing Threats and Protecting Patients,” which lays out a “common set of voluntary, consensus-based, and industry-led guidelines, best practices, methodologies, procedures, and processes” to aid the health industry in improving cybersecurity. This guidance was produced by the contributions of more than 150 healthcare and cybersecurity experts, and the guidance is focused on the “five most prevalent cybersecurity threats and the ten cybersecurity practices to significantly move the needle for a broad range of organizations” in healthcare.

The guidance identifies the five most prevalent cybersecurity threats as: (i) e-mail phishing attacks; (ii) ransomware attacks; (iii) loss or theft of equipment or data; (iv) insider, accidental or intentional data loss; and (v) attacks against connected medical devices that may affect patient safety.

In acknowledging that specific cybersecurity practices depend largely on an organization’s size, the guidance is divided into two separate technical volumes: (i) Technical Volume 1, which discusses ten cybersecurity practices for small health care organizations and (ii) Technical Volume 2, which discusses ten cybersecurity practices for medium-sized and large health care organizations. Generally, the ten cybersecurity practices addressed in both Technical Volumes are as follows:

• e-mail protection systems
• endpoint protection systems
• access management
• data protection and loss prevention
• asset management
• network management
• vulnerability management
• incident response
• medical device security
• cybersecurity policies

While these guidelines do not set forth new frameworks for cybersecurity, they do provide a new resource for healthcare providers that lay out practice recommendations consistent with the National Institute of Technology Cybersecurity Framework.