Jan 82019

HHS Releases Cybersecurity Guidance for Healthcare Organizations

Meenakshi Datta, Rina Mady and Kate Heinzelman
, , , , , ,

On December 28, 2018, the U.S. Department of Health and Human Services (HHS) released a four-volume cybersecurity guidance document for healthcare organizations. The publication, “Health Industry Cybersecurity Practices: Managing Threats and Protecting Patients” (HICP), is the result of a government and industry collaboration mandated by the Cybersecurity Act of 2015. The HICP is not limited to individually identifiable health information but instead covers organizations’ enterprise-level information security more generally. HHS describes the publication as “practical, understandable, implementable, industry-led, and consensus-based voluntary cybersecurity guidelines to cost-effectively reduce cybersecurity risks for healthcare organizations of varying sizes.” Notwithstanding their voluntary nature, these HHS-backed cybersecurity recommendations are likely to serve as an important reference point for the industry.

Noting the prevalence of cybersecurity attacks against the healthcare sector and the particular costs of such attacks, the HICP focuses on five of what it describes as “the most current and common cybersecurity threats” to the industry. According to the HICP, these are:

  1. email phishing attacks;
  2. ransomware attacks;
  3. loss of theft of equipment or data;
  4. insider, accidental or intentional data loss; and
  5. attacks against connected medical devices that may affect patient safety.

The HICP next sets forth 10 cybersecurity practices designed to help mitigate these threats. These practices, detailed in two accompanying technical volumes intended for information technology professionals, include: email protection systems; endpoint protection systems; identity and access management; network management; securities operations center and incident response; and cybersecurity policies. Within each cybersecurity practice, the HICP identifies specific practices tailored to small, medium, and large healthcare organizations respectively.

The HICP notes that the effort does not seek to “ ‘reinvent the wheel.’ ” Rather, the HICP makes clear that its practice recommendations are consistent with the National Institute of Standards and Technology (NIST) Cybersecurity Framework and draw on regulations implemented under the Health Insurance Portability and Accountability Act of 1996 (HIPAA) and other legal requirements.

The HICP also repeatedly underscores that the practices it outlines are designed to be voluntary.  The authors state: “We do not expect the practices provided in this publication to become a de facto set of requirements that all organizations must implement.” Yet the thorough and detailed nature of these recommendations — and the fact that they are the outcome of a consensus-based, government and industry-led process — is likely to make the HICP’s practice recommendations a reference point for industry standards. Congress itself was aware of the potential implications of this; the Cybersecurity Act expressly provides that it shall not be construed to subject healthcare industry stakeholders “to liability for choosing not to engage in the voluntary activities authorized or guidelines developed” pursuant to the act’s provision establishing this collaborative process.

HHS states that it intends to “work with industry stakeholders to raise awareness and implement the recommended cybersecurity practices across the sector” in the coming months. The HICP invites further stakeholder engagement, stating that parties interested in joining in the efforts of the public-private task group may reach out to CISA405d@hhs.gov. Healthcare industry stakeholders may wish to consider whether to participate in the task group.

Meenakshi Datta

Chicago

mdatta@sidley.com

Rina Mady

Chicago

rmady@sidley.com

Kate Heinzelman

kheinzelman@sidley.com

You might also like
UK’s New Pro-innovation Approach to Regulating Digital Technologies

On 15 March 2023, the UK Government published, alongside its Spring Budget, a report on the Pro-innovation Regulation of Technologies Review (the “Report”). The Report was led by the government’s Chief Scientific Advisor and National Technology Officer, Sir Patrick Vallance, who was tasked with “bringing together the best minds to advise how the UK can better regulate emerging technologies, enabling their rapid and safe introduction.” In response, the UK Government has accepted all of the Report’s recommendations, and set out some next steps for their implementation.

FCC Proposes Updated Data Breach Reporting Requirements, Comment Period Ongoing

On January 6, 2023, the Federal Communications Commission (the Commission) released a unanimously adopted Notice of Proposed Rulemaking, “In the Matter of Data Breach Reporting Requirements” (Proposed Rule).  The Commission sought comments through February 22, 2023 on the Proposed Rule which will update its current data breach reporting rule. Reply comments are due on or before March 24, 2023.

U.S. Employers Need to Reconsider Use of Confidentiality and Nondisparagement Provisions in Light of New NLRB Decision

Employers frequently seek to include confidentiality and nondisparagement provisions in severance agreements provided to departing employees. Last week, the U.S. National Labor Relations Board (NLRB or Board) significantly altered the legal landscape governing such provisions, making it much more difficult for unionized and nonunionized employers alike to use them for nonsupervisory employees without running afoul of the National Labor Relations Act (NLRA). The decision is likely to be appealed, and we will issue updates as they become appropriate. In the interim, however, it is critically important for employers to understand the implications of the decision (see below) and to adjust their use of these provisions to limit their risk.