January 22, 2019

January 22, 2019

Subscribe to Latest Legal News and Analysis

DHHS Releases Guidance on Managing Cybersecurity Threats in the Health Care Sector

The U.S. Department of Health and Human Services (DHHS) recently released Health Industry Cybersecurity Practices: Managing Threats and Protecting Patients (HICP). DHHS states that the purpose of the HICP is to:

  1. Raise awareness of cybersecurity;
  2. Provide vetted cybersecurity practices;
  3. Move organizations towards consistency in mitigating cybersecurity threats to the sector;
  4. Aid health care and public health organizations to develop meaningful cybersecurity objectives and outcomes.

The HICP discusses five current threats: (i) e-mail phishing attacks; (ii) ransomware attacks; (iii) loss or theft of equipment or data; (iv) insider, accidental, or intentional data loss; and (v) attacks against connected medical devices that may affect patient safety. The HICP then discusses ten cybersecurity practices to mitigate those threats. In addition to the HICP, DHHS released two technical volumes – one for small health care organizations and another for medium and large health care organizations – and various resources and templates. The technical volumes aim to provide practical guidance to health care organizations on implementing the ten cybersecurity practices. For example, the technical volumes provide a list of the specific policies that health care organizations should have to mitigate the risk of cyberattacks, as well as the specific information that should be captured in the inventory of IT assets maintained by an organization.

Note that although compliance with this cybersecurity guidance (and similar government guidance that has been previously released) is voluntary, courts and others may look to the guidance as setting the standard for “reasonable security” in the health care industry. Therefore, health care organizations should review their current cybersecurity practices against those outlined in the guidance and consider how to address any identified gaps.

DHHS is also expected to release a Cybersecurity Practices Assessments Toolkit, intended to help organizations prioritize their cyber threats and develop an action plan. The Toolkit is still under development but DHHS states an advance copy can be obtained by contacting CISA405d@hhs.gov .

The HICP and related resources are available here.

© 2019 Foley & Lardner LLP

TRENDING LEGAL ANALYSIS


About this Author

David T. Ralston Jr., Foley Lardner, Contract Litigation Lawyer, Manufacturing
Partner

Jennifer L. Rathburn is a partner with Foley & Lardner LLP. Ms. Rathburn focuses on counseling clients on data protection programs, data incident management, and breach response and recovery, as well as the monetization of data, the Health Insurance Portability and Accountability Act (HIPAA), and other privacy and security issues. She is one of the founders of the Midwest Cyber Security Alliance and has a deep understanding of the complex risk, operational, and legal issues companies must address to maintain the confidentiality of, access to, and integrity of their...

414-297-5864
Jennifer Hennessy, Foley Lardner Law Firm, Privacy Security and Healthcare Attorney
Associate

Jennifer J. Hennessy is a privacy and security and health care regulatory attorney with Foley & Lardner LLP. Her practice includes advising businesses on compliance with state and federal data privacy and security laws. She assists covered entities and business associates in complying with the HIPAA Privacy and Security Rules, and also advises businesses and individuals on compliance with state data privacy laws and federal law 42 C.F.R. Part 2, Confidentiality of Alcohol and Drug Abuse Treatment Records. She frequently guides clients through data incident management and the entire breach notification process, from the early stages of the investigation to the notification of affected individuals and state and federal government regulators. Her depth of experience in this area allows her to provide clients with practical and business-oriented solutions in the event of a data incident and in its aftermath. Prior to joining Foley, Ms. Hennessy was a health law associate with a large U.S. law firm based in Milwaukee.

617-502-3211