HHS Releases New Cybersecurity Guidance for the Health Care Industry
As health care practitioners and organizations settle into the New Year, there is new guidance for cybersecurity best practices. On December 28, 2018, a task force of public- and private-sector leaders under the U.S. Department of Health and Human Services (HHS) released Health Industry Cybersecurity Practices: Managing Threats and Protecting Patients. The four-part guidance, which is targeted toward HIPAA-covered entities of all sizes, including physicians, hospitals, payors, third-party processors and medical device manufacturers, is aimed at addressing the most common cyber threats facing the health care industry. While the publication is the most comprehensive and expansive health care cybersecurity framework to date, the recommendations offered are strictly voluntary and do not impose new legal obligations. Nevertheless, the guidance could prove to be critical should an organization face regulatory scrutiny or civil litigation arising from a data security incident.
Health care organizations are among the highest targets for cybercriminals, resulting in significant financial implications and threats to public health. In 2018, the cost per record of a health care data breach was $408, nearly twice the amount of a breach in the financial sector, and in 2016, the U.S. health care system lost $6.2 billion due to security incidents. Given this landscape, HHS’s Office for Civil Rights (OCR) has been increasingly active in investigating and pursuing civil monetary penalties against covered entities that have demonstrated a failure to adequately secure patient information resulting in a data breach. Prior to the publication, organizations’ legal, compliance, IT and information security professionals were afforded only a patchwork of cybersecurity best practices drawing from the Health Insurance Portability and Accountability Act (HIPAA) and the Health Information Technology for Economic and Clinical Health Act (HITECH). Through a legislative mandate imposed by section 405(d) of the Cybersecurity Act of 2015 (the Act), HHS convened a task force of more than 150 health care and cybersecurity experts from the public and private sectors to develop and draft the “voluntary, consensus-based, and industry-led guidelines, best practices, methodologies, procedures, and processes,” aimed at achieving three core goals:
- Reducing cybersecurity risks for a range of health care organizations in a cost-effective manner
- Supporting the voluntary adoption and implementation of HHS recommendations
- Ensuring that content is actionable, practical and relevant to health care stakeholders of every size and resource level on an ongoing basis.
Pervasive Cybersecurity Threats
The task force focused on the five most prevalent cybersecurity threats facing health care organizations of all sizes:
- E-mail phishing attack
- Ransomware attack
- Loss or theft of equipment or data
- Insider, accidental or intentional data loss
- Attacks against connected medical devices that may affect patient safety.
For each category, the guidance describes the nature of the threat, vulnerabilities, and the potential organizational impact, and best practices to consider in minimizing those threats. The recommended practices are organized into 10 categories:
- E-mail Protection Systems
- Endpoint Protection Systems
- Access Management
- Data Protection & Loss Prevention
- Asset Management
- Network Management
- Vulnerability Management
- Incident Response
- Medical Device Security
- Cybersecurity Policies.
The 10 best practices are divided into two technical volumes, with 88 sub-practices to address the needs of small organizations and medium-size to large organizations. There also is a toolkit for helping organizations to prioritize the cybersecurity practices that would be most effective for them and to conduct a risk assessment.
While the guidance is an invaluable resource for health care organizations seeking to implement a cybersecurity program or enhance an existing framework, industry members must be aware that the “best practices” are strictly voluntary. In contrast to when the National Institute of Standards and Technology (NIST) 2014 Cybersecurity Framework became the benchmark for regulators in evaluating whether a company’s security measures are “reasonable,” section 405(d) of the Act clearly states that the practices are voluntary and intended to serve as a guiding resource.
With the guidance signaling HHS’s renewed commitment to prioritizing the privacy and security of patient information, the aggressive landscape of regulatory enforcement actions and lawsuits arising from data breaches is poised to continue its momentum. As health care organizations review their policies and procedures for 2019, we encourage all stakeholders to heed the report’s “Call to Action” by addressing gaps and pitfalls in their cybersecurity programs and gauging their preparedness for a security incident.