New Cybersecurity Guidance for the Health Care Industry (and Last Call for HIPAA Rule Comments)
We discuss below two important updates impacting the health care industry.
Important New Cybersecurity Guidance for the Health Care Industry
The US Department of Health and Human Services (HHS) has released an important new set of cybersecurity guidance documents for health care organizations of all types and sizes. Created by a task group comprised of cybersecurity and health care industry representatives from the public and private sectors, the guidance provides voluntary, consensus-based guidelines and best practices intended to "significantly move the needle" on five prevalent cybersecurity threats: e-mail phishing attacks; ransomware attacks; theft or loss of equipment or data; insider (accidental or intentional) data loss; and attacks on connected medical devices.
The guidance then recommends 10 cybersecurity practices that experts agree are effective in mitigating these threats:
- E-mail protection systems;
- Endpoint protection systems;
- Access management;
- Data protection and loss prevention;
- Asset management;
- Network management;
- Vulnerability management;
- Incident response;
- Medical device security; and
- Cybersecurity policies.
Helpfully, there are separate "technical" volumes (intended for information technology and security professionals) tailoring the 10 recommended cybersecurity practices to small organizations (such as a sole practitioner physician) and medium and large health care organizations (such as a sophisticated academic medical center), in an effort to make the information more actionable to organizations with varying levels of complexity and resources. There is no one-size-fits-all solution to cybersecurity, and the practices are presented as recommendations. These practices align with the outcomes listed in the National Institute of Standards and Technology (NIST) Cybersecurity Framework.
The guidance is not intended to introduce new regulatory requirements, and implementation of the recommendations does not guarantee compliance with the Health Insurance Portability and Accountability Act of 1996 (HIPAA) or other laws. However, the guidance is intended to (and no doubt will) push the industry toward greater consistency in how these critical cyber threats are addressed. Organizations should carefully review the guidance in the context of their overall cybersecurity program.
To obtain a copy of the guide, titled "Health Industry Cybersecurity Practices: Managing Threats and Protecting Patients," please click here.
Want to Improve HIPAA? HHS is Accepting Public Comments Until February 12
- HHS's Office for Civil Rights (OCR) is continuing to accept feedback from the public, via a Request for Information (RFI), on how to improve HIPAA's Privacy and Security Rules (the HIPAA Rules) in order to better promote coordinated, value-based health care and improve the process for sharing information.
In particular, the RFI seeks recommendations on how to generally improve the HIPAA Rules, as well as focuses on specific areas, which include:
■ Promoting information sharing for treatment and care coordination and/or case management;
■ Encouraging the sharing of treatment information with parents and caregivers of adults facing health emergencies—especially related to the opioid crisis;
■ Implementing the accounting of disclosures from an electronic health record for treatment, payment and health care operations; and
■ Eliminating or modifying the requirement for health care providers to obtain a patient's written acknowledgment of receipt of the Notice of Privacy Practices.
To obtain a copy of the RFI, please click here.
1. See Department of Health and Human Services, Request for Information on Modifying HIPAA Rules to Improve Coordinated Care, Vol. 83 Federal Register No. 240, December 14, 2018, 64302; here.
2. See HHS Press Release, HHS seeks public input on improving care coordination and reducing the regulatory burdens of the HIPAA Rules, December 12, 2018, here.