In late January, the U.S. Department of Health and Human Services’ Healthcare & Public Health Sector Coordinating Council issued a new cybersecurity guidance document for healthcare businesses of all sizes. The guidance document, entitled “Health Industry Cybersecurity Practices: Managing Threats and Protecting Patients,” available at https://www.phe.gov/Preparedness/planning/405d/Pages/hic-practices.aspx, provides concrete and practical guidance for addressing what the Council has identified as the “most impactful threats . . . within the industry” and serves as a renewed call to action for implementation of appropriate cybersecurity practices. This document is critical reading for healthcare business managers faced with ever-increasing cybersecurity risks and the attending risks to patient safety and operational continuity, business reputation, financial stability, and regulatory compliance.

The guidance document focuses on the threats that the authors believe to be the “most impactful threats… within the industry.” The guidance leverages the well-known NIST Cybersecurity Framework to address the following threats:

1. E-mail phishing attacks;
2. Ransomware attacks;
3. Loss or theft of equipment or data;
4. Insider, accidental, or intentional data loss; and
5. Attacks against connected medical devices that affect patient safety.

In each of these threat categories, the guidance identifies specific vulnerabilities, explains the impact that can result from each vulnerability, and suggests the practices that healthcare businesses can implement to mitigate the risks associate with each kind of threats. More specific practice recommendations are presented in two volumes, one for small healthcare businesses and another for medium and large healthcare businesses (also available at https://www.phe.gov/Preparedness/planning/405d/Pages/hic-practices.aspx) Small businesses get a concise 29 pages of easy-to-read advice. Medium and large health care businesses get a more fulsome 100-page document that is written for organizations with more information technology personnel and resources.

Although the guidance document purports to provide “voluntary, consensus-based and industry-led guidelines, best practices, methodologies, procedures, and processes,” healthcare businesses that experience a data breach or cybersecurity incident that could have been prevented by implementing the recommended practices are likely to be vulnerable to claims of negligence or failure to implement appropriate safeguards in private litigation or a government inquiry.

Healthcare business managers should read this guidance as soon as possible to determine whether their organization’s cybersecurity program aligns with this most recent guidance. Organizations with an established risk assessment and risk management planning processes may incorporate application of this guidance using their chosen methodologies. The guidance also includes some recommendations regarding assessment and promises a new assessment toolkit specific to this guidance in the future. Stoel Rives’ privacy team is well-versed in cybersecurity and can assist with the process of evaluating cybersecurity-related risk-posture and priorities, separating the scare tactics and fad technologies from the solid investments, and helping to protect clients’ planning and decision-making processes from compelled disclosure.