• Skip to primary navigation
  • Skip to main content
  • Skip to primary sidebar
  • Skip to secondary sidebar

Alston & Bird Privacy, Cyber & Data Strategy Blog

  • Home
  • Services
  • Events
  • Contacts

HHS Releases New “Health Industry Cybersecurity Practices”

January 8, 2019 By Kate Hanniford

On December 28, 2018, the Department of Health and Human Services (HHS) issued new voluntary cybersecurity guidance for the health care industry titled, “Health Industry Cybersecurity Practices: Managing Threats and Protecting Patients.”  This four-volume set of consensus-based principles and practices (the “HICP”) reflects the recommendations of the 405(d) Task Group, a HHS and industry-led collaborative task group named for Section 405(d) of the Cybersecurity Act of 2015, a provision that calls for a more coordinated approach to cybersecurity in the health care industry.

The HICP is essentially a call to action for health care organizations to identify cybersecurity threats and adopt mitigation measures in response to those threats, and to view this work as a patient safety issue.  Recognizing that the health care industry includes organizations of varying size and complexity, with different levels of resources, the HICP is designed to provide a flexible set of guidelines that is scalable and can be tailored to a local clinic and a large health care system, and anything in between.  In addition, the HICP acknowledges that the cybersecurity threats facing the health care industry are numerous and complex, and therefore it focuses on the five most prevalent cybersecurity threats, as well as ten general cybersecurity practices that are important for an organization of any size.

The HICP identifies the relevant vulnerabilities, potential impact, and suggests best practices to consider for each of the five main threats: 1) e-mail phishing attacks; 2) ransomware attacks; 3) loss or theft of equipment or data; 4) insider, accidental or intentional data loss; and 5) attacks against connected medical devices that may affect patient safety.  Then, in two accompanying “Technical Volumes,” one geared towards small organizations, and one geared towards medium to large organizations, the HICP provides a non-comprehensive set of recommendations for steps that organizations can take to reduce the impact of cybersecurity threats on their operations.  The recommended practices fall into ten categories, including e-mail protection systems, endpoint protection systems, access management, data protection and loss prevention, asset management, network management, vulnerability management, incident response, medical device security, and cybersecurity policies.  In addition, the HICP includes an assessment methodology and additional resources that are aligned with the National Institute of Standards and Technology (NIST) guidelines and designed to help an organization adapt the HICP’s recommendations to its specific needs and priorities.

The HICP emphasizes that the practices provided are not meant to become a de facto set of mandatory requirements, and that in leveraging the NIST guidelines, the Task Group purposely attempted to make its recommendations within existing cybersecurity frameworks and avoid reinventing the wheel.  Accordingly, the HICP is meant to provide practical guidance for health care organizations wondering where to start and how to adopt certain cybersecurity practices. Although the guidelines offered in the HICP are voluntary and not intended to have any regulatory effect, they may serve as a useful tool for health care organizations seeking to align their cybersecurity policies with current best practices.

Filed Under: Cybersecurity, Data Security, Health Privacy, HHS

About Kate Hanniford

Kate Hanniford is a senior associate with Alston & Bird’s Privacy, Cyber & Data Strategy Team. . She focuses her practice on cybersecurity counseling, as well as federal securities law compliance, enforcement, and litigation.

[Read Bio]

Primary Sidebar

This blog is a service of Alston & Bird’s Privacy, Cyber & Data Strategy team and focuses on key data privacy and data security issues.


Receive email notifications when new posts are added.

Receive email notifications when new posts are added.


THE DIGITAL DOWNLOAD
Click here to see the editions

PRIVACY & CYBER EVENTS
Click here to see upcoming and past events

PRIVACY & CYBER MAILINGS
Click here to sign up

@ALSTONPRIVACY
Click here to follow us on Twitter

Secondary Sidebar

Categories

Recent Posts

  • Recent Exploits of Blockchain Bridges Highlight Need for Cybersecurity in Crypto and Risk of Liability
  • Germany’s Cyber Threat Landscape – Top 3 Lessons from the BKA Situation Report
  • CPPA Board Opposes American Data Privacy and Protection Act
  • SEC Settles Enforcement Actions with Broker-Dealers and Investment Advisors for Identity Protection Deficiencies
  • UK Information Commissioner’s Office Issues Warning on Ransomware Payments
Copyright © 2022 · Alston & Bird · All Rights Reserved. Privacy.