On December 28, 2018, the Department of Health and Human Services (HHS) issued new voluntary cybersecurity guidance for the health care industry titled, “Health Industry Cybersecurity Practices: Managing Threats and Protecting Patients.” This four-volume set of consensus-based principles and practices (the “HICP”) reflects the recommendations of the 405(d) Task Group, a HHS and industry-led collaborative task group named for Section 405(d) of the Cybersecurity Act of 2015, a provision that calls for a more coordinated approach to cybersecurity in the health care industry.
The HICP is essentially a call to action for health care organizations to identify cybersecurity threats and adopt mitigation measures in response to those threats, and to view this work as a patient safety issue. Recognizing that the health care industry includes organizations of varying size and complexity, with different levels of resources, the HICP is designed to provide a flexible set of guidelines that is scalable and can be tailored to a local clinic and a large health care system, and anything in between. In addition, the HICP acknowledges that the cybersecurity threats facing the health care industry are numerous and complex, and therefore it focuses on the five most prevalent cybersecurity threats, as well as ten general cybersecurity practices that are important for an organization of any size.
The HICP identifies the relevant vulnerabilities, potential impact, and suggests best practices to consider for each of the five main threats: 1) e-mail phishing attacks; 2) ransomware attacks; 3) loss or theft of equipment or data; 4) insider, accidental or intentional data loss; and 5) attacks against connected medical devices that may affect patient safety. Then, in two accompanying “Technical Volumes,” one geared towards small organizations, and one geared towards medium to large organizations, the HICP provides a non-comprehensive set of recommendations for steps that organizations can take to reduce the impact of cybersecurity threats on their operations. The recommended practices fall into ten categories, including e-mail protection systems, endpoint protection systems, access management, data protection and loss prevention, asset management, network management, vulnerability management, incident response, medical device security, and cybersecurity policies. In addition, the HICP includes an assessment methodology and additional resources that are aligned with the National Institute of Standards and Technology (NIST) guidelines and designed to help an organization adapt the HICP’s recommendations to its specific needs and priorities.
The HICP emphasizes that the practices provided are not meant to become a de facto set of mandatory requirements, and that in leveraging the NIST guidelines, the Task Group purposely attempted to make its recommendations within existing cybersecurity frameworks and avoid reinventing the wheel. Accordingly, the HICP is meant to provide practical guidance for health care organizations wondering where to start and how to adopt certain cybersecurity practices. Although the guidelines offered in the HICP are voluntary and not intended to have any regulatory effect, they may serve as a useful tool for health care organizations seeking to align their cybersecurity policies with current best practices.
