HHS releases voluntary Cybersecurity Practices guidance. Industry analysts drill down deeper.
As a requirement of the Cybersecurity Act of 2015, HHS released new voluntary cybersecurity practices aimed at cost effectively reducing cybersecurity risks for the healthcare industry on December 28. Known as the Health Industry Cybersecurity Practices (HICP): Managing Threats and Protecting Patients publication, the venture was a two-year effort that brought together more than 150 cybersecurity and healthcare experts and the government under the Healthcare and Public Health Sector Critical Infrastructure Security and Resilience Public-Private Partnership, says Ken Dort, a partner in Intellectual Property and Information Technology at the law firm Drinker Biddle & Reath LLP.
“Cybersecurity has become a leading issue for all institutions that rely on networked systems to store and share data,” says Steven Williams, shareholder at the law firm Munsch Hardt. “Over the last decade, healthcare providers have become increasingly automated and reliant on systems that allow providers to share patient data with other providers. Today, essentially every step of healthcare delivery involves recording and storing patient information digitally, and then allowing other providers within the delivery system to access that data.”
HHS’ guidelines identify five of the most current and common healthcare sector cybersecurity threats: e-mail phishing attacks; ransomware attacks; loss or theft of equipment or data; insider, accidental, or intentional data loss; and attacks against connected medical devices that may affect patient safety, says Bruce Armon, healthcare partner at the law firm Saul Ewing Arnstein & Lehr. The guidelines also identify 10 best practices for healthcare organizations to consider to mitigate these five cybersecurity threats.
Related article: Five Ways to Improve Your Health Organization’s Cybersecurity
Depending upon a healthcare organization’s size, (i.e., small, medium, or large) there are different cybersecurity best practices that an organization may wish to implement. “Each healthcare organization may have different cybersecurity vulnerabilities and elect different strategies to attempt to mitigate cybersecurity threats,” Armon says. “The guidelines are not a one-size-fits-all proposition.”
The guidelines are written and organized in a way that makes them more accessible to those who do not have technology expertise, from board and C-suite members to human resource directors and office managers to doctors, nurses, and claims analysts, says Elizabeth Litten, partner and HIPAA privacy and security officer at the law firm Fox Rothschild.
Here are five more things to know about the new guidelines.
Karen Appold is a medical writer in Lehigh Valley, Pennsylvania.