May 26, 2020

Healthcare Industry Reminded to Heed Cybersecurity: New “Industry Standard” Guidance

The Department of Health and Human Services (HHS) observes that the US healthcare system lost $6.2 billion dollars as a result of data breaches in 2016, and that 4 out of 5 US physicians have experienced some form of cyberattack1.  The over-arching message from HHS is – don’t be a victim of poor security.   

HHS in partnership with the healthcare industry has released “Health Industry Cybersecurity Practices (HICP):  Managing Threats and Protecting Patients” (December 28, 2018)2.  This four-volume publication addresses voluntary, best cybersecurity practices for healthcare organizations of all sizes. It can be accessed here3.  The publication includes a main document, two technical volumes, and resources and templates. The technical volumes are geared to small and medium/large organizations specifically.  

This new resource helps interpret what should be “industry standard” cybersecurity and appears to suggest that at a minimum organizations should take into account ten specific areas within a cyber program (described below). The resource should not be read to override other healthcare security obligations (such as under the Health Insurance Portability and Accountability Act (HIPAA)), but may help fill interpretation gaps where there’s discretion on how to meet a specific HIPAA security standard. It may also be grounds to show lack of reasonable security in support of legal claims under other laws beyond HIPAA.

The new resource recommends the following ten cybersecurity practices to help mitigate cyber threats generally, but will necessarily vary in implementation based on the nature of the organization, its systems, equipment and type and amount of sensitive data handled:

1. E-mail protection systems

2. Endpoint protection systems

3. Access management

4. Data protection and loss prevention

5. Asset management

6. Network management

7. Vulnerability management

8. Incident response

9. Medical device security

10. Cybersecurity policies

According to the new resource, it is up to the individual organization to prioritize among these practices following a security assessment of where it stands on these matters. Covered entities and their business associates under HIPAA may take advantage of HHS’s “Security Risk Assessment” tool available here4 to help with this process, which is already required of them under the HIPAA Security Rule.  

The new resource provides real-world scenarios, practical guidance, and resources to help organizations align their practices with the National Institute of Standards and Technology (NIST) Cybersecurity Framework’s five steps - identify, protect, detect, respond, and recover-  with respect to better managing cyber threats. This new resource, by its own account, did not intend to “recreate the wheel” and leverages the NIST framework. The resource was prepared in partnership with the industry through a public-private taskforce, as a requirement under Section 405(d) of the Cybersecurity Act of 2015.  The taskforce expects to regularly update the resource to reflect evolving threats. Work on tools within the “resources and templates” portion of the resource also appears to be ongoing. For organizations seeking to be more involved with what HHS (in cooperation with the industry) recommends for cybersecurity, the task force that generated this resource still welcomes participants by contacting

1. See HHS’s “Health Industry Cybersecurity Practices (HICP):  Managing Threats and Protecting Patients” available at -Main-508.pdf (last visited January 10, 2019).

2. here (last visited January 10, 2019).

3. The link is 405d/Pages/hic-practices.aspxhere. (last visited January 10, 2019). 

4. The link is here. (last visited January 10, 2019).

Copyright © 2020 Womble Bond Dickinson (US) LLP All Rights Reserved.


About this Author

Nadia Aram, Womble Carlyle, Intellectual Property Attorney, technology licensing lawyer, commercial agreements legal counsel, private securities law

Nadia advises clients in a variety of business transactions involving the use and commercialization of intellectual property and technology. She has experience drafting and negotiating a broad variety of contracts, including technology licenses, services, consulting and other complex commercial agreements to help clients realize the value of their assets day-to-day, and as part of strategic product and technology acquisitions and divestitures. Nadia also practices in the areas of franchise law, and advertising, sweepstakes & promotions law, including advising clients...

Laramie Paras, Womble Carlyle Law Firm, Greenville, Healthcare Law Attorney

Laramie is a member of the Healthcare Practice Group and her work focuses on regulatory and compliance issues including HIPAA Privacy and Security and the Federal fraud and abuse laws. She also has transactional experience advising clients on various agreements, including those involving confidentiality, clinical trials, and business associates. Laramie’s insights are especially helpful to hospitals, healthcare systems, and other healthcare providers.