HHS Releases Cybersecurity Guidance for Healthcare Organizations

On December 28, 2018, the U.S. Department of Health and Human Services (HHS) released a four-volume cybersecurity guidance document for healthcare organizations. The publication, “Health Industry Cybersecurity Practices: Managing Threats and Protecting Patients” (HICP), is the result of a government and industry collaboration mandated by the Cybersecurity Act of 2015. The HICP is not limited to individually identifiable health information but instead covers organizations’ enterprise-level information security more generally. HHS describes the publication as “practical, understandable, implementable, industry-led, and consensus-based voluntary cybersecurity guidelines to cost-effectively reduce cybersecurity risks for healthcare organizations of varying sizes.” Notwithstanding their voluntary nature, these HHS-backed cybersecurity recommendations are likely to serve as an important reference point for the industry.

Noting the prevalence of cybersecurity attacks against the healthcare sector and the particular costs of such attacks, the HICP focuses on five of what it describes as “the most current and common cybersecurity threats” to the industry. According to the HICP, these are:

  1. email phishing attacks;
  2. ransomware attacks;
  3. loss of theft of equipment or data;
  4. insider, accidental or intentional data loss; and
  5. attacks against connected medical devices that may affect patient safety.

The HICP next sets forth 10 cybersecurity practices designed to help mitigate these threats. These practices, detailed in two accompanying technical volumes intended for information technology professionals, include: email protection systems; endpoint protection systems; identity and access management; network management; securities operations center and incident response; and cybersecurity policies. Within each cybersecurity practice, the HICP identifies specific practices tailored to small, medium, and large healthcare organizations respectively.

The HICP notes that the effort does not seek to “ ‘reinvent the wheel.’ ” Rather, the HICP makes clear that its practice recommendations are consistent with the National Institute of Standards and Technology (NIST) Cybersecurity Framework and draw on regulations implemented under the Health Insurance Portability and Accountability Act of 1996 (HIPAA) and other legal requirements.

The HICP also repeatedly underscores that the practices it outlines are designed to be voluntary.  The authors state: “We do not expect the practices provided in this publication to become a de facto set of requirements that all organizations must implement.” Yet the thorough and detailed nature of these recommendations — and the fact that they are the outcome of a consensus-based, government and industry-led process — is likely to make the HICP’s practice recommendations a reference point for industry standards. Congress itself was aware of the potential implications of this; the Cybersecurity Act expressly provides that it shall not be construed to subject healthcare industry stakeholders “to liability for choosing not to engage in the voluntary activities authorized or guidelines developed” pursuant to the act’s provision establishing this collaborative process.

HHS states that it intends to “work with industry stakeholders to raise awareness and implement the recommended cybersecurity practices across the sector” in the coming months. The HICP invites further stakeholder engagement, stating that parties interested in joining in the efforts of the public-private task group may reach out to CISA405d@hhs.gov. Healthcare industry stakeholders may wish to consider whether to participate in the task group.