HHS releases voluntary cybersecurity guidance for health care organizations

Bricker Graydon LLP
Contact
LinkedIn
Facebook
X
Send
Embed

Bricker & Eckler LLP

The Department of Health and Human Services (HHS) estimates that U.S. health care systems lost around $6.2 billion in 2016 due to data breaches. Congress and HHS have recently taken affirmative steps towards reducing that amount.

Section 405(d) of the Cybersecurity Act of 2015 (CSA), titled “Aligning Health Care Industry Security Approaches,” legislatively mandated the creation of the CSA 405(d) Task Group. That Task Group, comprised of over 150 health care and cybersecurity experts from government and industry partners, met in May 2017, to develop a set of voluntary, consensus-based principles and practices to improve cybersecurity in health care organizations of varying sizes.

The resulting publication includes four parts:

  • Main Document, titled “Health Industry Cybersecurity Practices: Managing Threats and Protecting Patients (HICP)”  Provides background and context related to cybersecurity threats in the health care industry and demonstrates the need for a coordinated set of industry-led guidelines, best practices and methodologies.

  • Technical Volume 1 – Discusses ten cybersecurity practices and sub-practices for small health care organizations.

  • Technical Volume 2 – Discusses ten cybersecurity practices and sub-practices for medium-sized and large health care organizations.

  • Resources and Templates Volume – Provides additional resources and templates to supplement the other volumes.

The publication guides organizations on what to ask IT and/or IT security teams or vendors, but the technical volumes are meant for IT and/or IT security professionals themselves.  

The five threats discussed in the HICP main document are:

  • E-mail phishing attacks

  • Ransomware attacks

  • Loss or theft of equipment or data

  • Insider, accidental or intentional data loss

  • Attacks against connected medical devices that may affect patient safety 

The Technical Volumes explore the following ten practices to mitigate the identified threats:

  • E-mail protection systems

  • Endpoint protections systems

  • Access management

  • Data protection and loss prevention

  • Asset management

  • Network management

  • Vulnerability management

  • Incident response

  • Medical device security

  • Cybersecurity policies

If you or your organization is interested in joining the 405(d) Task Group, HHS encourages you to reach out directly to the Task Group at CISA405d@hhs.gov.

[View source.]

Send Print Report

DISCLAIMER: Because of the generality of this update, the information provided herein may not be applicable in all situations and should not be acted upon without specific legal advice based on particular situations. Attorney Advertising.

© Bricker Graydon LLP

Written by:

Bricker Graydon LLP
Bricker Graydon LLP
Contact
more
less

PUBLISH YOUR CONTENT ON JD SUPRA NOW

  • Increased visibility
  • Actionable analytics
  • Ongoing guidance

Bricker Graydon LLP on:

Reporters on Deadline

"My best business intelligence, in one easy email…"

Your first step to building a free, personalized, morning email brief covering pertinent authors and topics on JD Supra:
Sign Up Log in
*By using the service, you signify your acceptance of JD Supra's Privacy Policy.
Custom Email Digest
- hide
- hide