Voluntary Cybersecurity Best Practices for Healthcare Organizations Published by HHS

The U.S. Department of Health and Human Services (HHS) has published voluntary cybersecurity best practices for healthcare organizations to help them deal with cyber risks and better protect patients from harm.

Healthcare technologies are vital for providing healthcare services to patients, but those technologies introduce risks that could result in harm to patients. Not managing risks properly can lead to disruption to healthcare services, data breaches, and possibly injuries to patients.

The HHS explained that $6.2 billion was lost by the U.S. Health Care System in 2016 from data breaches and 4 of 5 doctors in the United States have encountered a cyberattack in some form. The average data breach cost for a healthcare company is currently $2.2 million.

HHS Acting Chief Information Security Officer, Janet Vogel, stated that cybersecurity is the responsibility of everybody involved in healthcare and public health. Everyone must understand and take advantage of the partnerships between government and industry stakeholders and deal with the common problems together.

The new guidance – Health Industry Cybersecurity Practices (HICP): Managing Threats and Protecting Patients – was developed as a result of a Cybersecurity Act of 2015 mandate (Section 405(d)) the documents provide practical guidance to assist healthcare establishments in cost-effectively reducing the cybersecurity-related risks.

More than 150 cybersecurity and healthcare specialists from private industry and the government were consulted and provided their input.

Industry co-lead and Chief Information Security and Privacy Officer for the University of Chicago Medicine, Eric Decker, said healthcare providers need to have actionable and simple advice, adapted to their needs, to control modern cyber threats and that is why the cybersecurity best practices were developed.

Two technical volumes outlining cybersecurity best practices for healthcare organizations have been published: One for small healthcare providers and the other for medium and large sized healthcare organizations and health systems. The aim of the guidance is to assist healthcare organizations minimize cybersecurity risks in a cost-effective way, to help increase adoption of Cybersecurity Act recommendations, and to give useful, actionable, and appropriate cybersecurity advice for healthcare organizations of all sizes.

The guidance will help to raise awareness of common cyber threats such as ransomware, email phishing, device loss/theft, accidental and deliberate insider data breaches, and healthcare device attacks and provides practical advice on how to effectively manage risk.

The technical volumes detail ten cybersecurity practices to offset the above risks in the following areas:

  • Endpoint protection systems
  • E-mail protection systems
  • Asset management
  • Access management
  • Data protection and loss prevention
  • Network management
  • Medical device security
  • Vulnerability management
  • Incident response
  • Cybersecurity policies

There is also a cybersecurity practices assessments toolkit available to assist healthcare companies in prioritizing risks and creating action plans to offset those risks. In the subsequent few months, the HHS is going to work with industry stakeholders to increase awareness of common cybersecurity threats and will help to ensure that the best practices are widely adopted by the health industry.