July 18, 2019

July 18, 2019

Subscribe to Latest Legal News and Analysis

July 17, 2019

Subscribe to Latest Legal News and Analysis

July 16, 2019

Subscribe to Latest Legal News and Analysis

Healthcare Cybersecurity Preparedness Tops HHS Priority List

Recently, the U.S. Department of Health & Human Services (“HHS”) issued guidance for healthcare cybersecurity best practices.  As required under the Cybersecurity Act (CSA) of 2015, this four-part guidance was generated by a Task Group charged with the following:

  1. Examining current cybersecurity threats affecting the healthcare and public health sector;
  2. Identifying specific weaknesses that make healthcare and public health organizations more vulnerable to cybersecurity threats; and
  3. Providing certain practices that cybersecurity experts rank as most effective against such threats.

This technical assistance comes at a critical time.  Healthcare organizations, regardless of size, complexity or sophistication are vulnerable to cyber-attacks. For example, while smaller organizations may think that cyber threats, such as ransomware, tend to affect the larger organizations, approximately 58% of malware attack victims affect small businesses. Furthermore, cybersecurity attacks in 2017 cost small and medium-sized businesses an average of $2.2 million.

Most surprisingly, despite increased frequency of cyber-attacks over the last two years, coupled with cost of data breaches being highest in healthcare, the healthcare industry continues to lag behind in cybersecurity preparedness. About 4-7% of total IT budgets, across healthcare organizations, are being spent on cybersecurity, while other industries spend approximately 10-14%.  There is certainly a need and significant room for improvement across the industry.

The main volume of the new HHS guidance document cites the five most prevalent cybersecurity threats as:

  • E-mail phishing attacks;
  • Ransomware attacks;
  • Loss or theft of equipment or data;
  • Insider, accidental or intentional data loss; and
  • Attacks against connected medical devices that may affect patient safety.

The guidance document also shares ten best practices to mitigate cybersecurity threats (covered in more detail in corresponding Technical Volumes):

  • E-mail protection systems;
  • Endpoint protection systems;
  • Access management;
  • Data protection and loss prevention;
  • Asset management;
  • Network management;
  • Vulnerability management;
  • Incident response;
  • Medical device security; and
  • Cybersecurity policies.

With this new cybersecurity guidance from HHS, healthcare companies can be better equipped to strengthen their security and more effectively tackle cyber threats.  Companies should prioritize these efforts because cybersecurity preparedness can reduce patient privacy risk, protect patient safety and ultimately preserve an organization’s reputation.

©2019 Epstein Becker & Green, P.C. All rights reserved.

TRENDING LEGAL ANALYSIS


About this Author

Alaap Shah Attorney Healthcare Life Sciences
Member

Alaap B. Shah is a Member of the Firm in the Health Care and Life Sciences practice, in the firm's Washington, DC, office.

Mr. Shah:

  • Advises clients on federal and state privacy and data security laws and regulations
  • Advises on cybersecurity and data breach matters
  • Advises clients on health care fraud and abuse matters and government investigations relating to health information technology
  • Counsels clients on digital health and data strategies and related compliance issues

His work focuses on defense and counseling...

202-861-5320
Daniel Kim, Epsten Becker Law Firm, Washington DC, Healthcare law
Associate

DANIEL KIM is an Associate in the Health Care and Life Sciences practice, in the Washington, DC, office of Epstein Becker Green. He will be focusing his practice on FDA marketing approval of medical devices and pharmaceutical, reimbursement and compliance matters affecting health care medical device manufacturers, telehealth and telemedicine, HIPAA privacy and security, regulatory health care due diligence, and compliance issues.

Mr. Kim received his J.D., cum laude, from American University Washington College of Law. He obtained an M.A. in Anatomy and Neurobiology from Boston University School of Medicine, where he served as a surgical technician. He also received a B.A. in Biology, with a concentration in Neuroscience, from Boston University.

While attending law school, Mr. Kim clerked at the U.S. Attorney’s Office for the District of Columbia and at the Medicare Operations Division of the U.S. Department of Health and Human Services’ Departmental Appeals Board. Later, he interned at the Commissioner’s Office of the U.S. Food and Drug Administration and at the Office of General Counsel for Doctor on Demand, Inc., where he assisted in researching state telehealth laws and regulations, and developing and implementing HIPAA privacy and security and company compliance policies.

Before going to law school, Mr. Kim worked for six years as a research assistant at Boston Children’s Hospital, studying potential therapeutic treatments for spinal cord injuries.

 

202-861-1829