Skip to Main Content
Services Talent Knowledge
Site Search
Menu

Alert

Our attorneys stay on top of changes in legislation, agency regulations, case law, and industry trends—then craft timely legal alerts to keep clients up to date on legal developments important to their business.

January 10, 2019

Department of Health and Human Services Releases Cybersecurity Guidance and Resources Tailored to Health Industry

A series of recent guidance documents published by the Department of Health and Human Services (HHS) titled Health Industry Cybersecurity Practices: Managing Threats and Protecting Patients states the cost of data breaches for health care organizations is on the rise, increasing from $380 per breached record in 2017 to $408 per record in 2018. The average cost of a data breach for health care organizations is estimated to be $2.2 million. The guidance identifies common cybersecurity issues health care organizations face and provides cybersecurity practices these organizations can implement to mitigate any identified threats or vulnerabilities.

The guidance, which was created due to a directive in the Cybersecurity Act of 2015, is the product of a collaborative effort by health care and cybersecurity industry experts in both the public and private sectors. The guidance includes four documents, described in more detail as follows:

"Health Industry Cybersecurity Practices: Managing Threats and Protecting Patients" (Main Publication)

This document provides an overview of current cybersecurity threats facing the health care industry and lists the five most common cybersecurity threats as:

  1. Email phishing attacks
  2. Ransomware attacks
  3. Loss or threat of equipment or data
  4. Insider data loss, either accidental or intentional
  5. Attacks against connected medical devices that may affect patient safety

For each threat, the document describes vulnerabilities, impacts, and practices for health care organizations to consider. Providers looking to mitigate these five threats are directed to review the technical volumes, which provide cybersecurity practices appropriate for small (Technical Volume 1) and medium to large (Technical Volume 2) organizations.

"Technical Volume 1: Cybersecurity Practices for Small Health Care Organizations"

This document provides ten cybersecurity practices for small health care organizations, which may not have dedicated information technology (IT) and security staff due to limited resources. Cybersecurity practices include the following, each with sub-practices, to mitigate common cybersecurity threats:

  1. Email protection systems
  2. Endpoint protection systems
  3. Access management
  4. Data protection and loss prevention
  5. Asset management
  6. Network management
  7. Vulnerability management
  8. Incident response
  9. Medical device security
  10. Cybersecurity policies

"Technical Volume 2: Cybersecurity Practices for Medium and Large Health Care Organizations"

This document provides cybersecurity practices for medium and large health care organizations, which may operate in more complex legal, operational, and regulatory environments. The categories of cybersecurity practices covered in Technical Volume 2 are similar but more expansive than those addressed in Technical Volume 1 due to the presence of more interconnected, complex IT systems in these larger organizations.

"Resources and Templates" 

This document provides additional resources to supplement the main publication and technical volumes, including a glossary of common terms and an overview of the cybersecurity practices and how they align with the NIST Cybersecurity Framework. This document also provides a list of free resources and template documents relating to the threats and concepts covered in the guidance documents.

In addition, HHS is in the process of developing a "cybersecurity practices assessments toolkit" to help organizations develop action plans to address security threats using a proposed assessment methodology.


If you have any questions regarding the content of this alert, please contact Bridget C. Steele, associate, at bsteele@barclaydamon.com  or 716.858.3704.

Subscribe

Click here to sign up for alerts, blog posts, and firm news.

Featured Media

Alerts

RAPID Action: NYS Office of Energy Renewable Energy Siting and Transmission Announces Draft Regulations for New Transmission Siting Framework

Alerts

NYSDEC Issues Draft Freshwater Wetlands General Permit

Alerts

USPTO Updates Audit Program

Alerts

NYS DOL Publishes Long-Awaited FAQs on Paid Prenatal Leave Law

Alerts

Update on Massachusetts Pay Transparency Law Disclosures and EEO Reporting Requirements in 2025

Alerts

Massachusetts Employers Required to Provide Job Applicants Notice That Use of a Lie Detector Test Is Unlawful

This site uses cookies to give you the best experience possible on our site and in some cases direct advertisements to you based upon your use of our site.

By clicking [I agree], you are agreeing to our use of cookies. For information on what cookies we use and how to manage our use of cookies, please visit our Privacy Statement.

I AgreeOpt-Out