DHHS Releases Guidance on Managing Cybersecurity Threats in the Health Care Sector

The U.S. Department of Health and Human Services (DHHS) recently released Health Industry Cybersecurity Practices: Managing Threats and Protecting Patients (HICP). DHHS states that the purpose of the HICP is to:

Raise awareness of cybersecurity;
Provide vetted cybersecurity practices;
Move organizations towards consistency in mitigating cybersecurity threats to the sector;
Aid health care and public health organizations to develop meaningful cybersecurity objectives and outcomes.

The HICP discusses five current threats: (i) e-mail phishing attacks; (ii) ransomware attacks; (iii) loss or theft of equipment or data; (iv) insider, accidental, or intentional data loss; and (v) attacks against connected medical devices that may affect patient safety. The HICP then discusses ten cybersecurity practices to mitigate those threats. In addition to the HICP, DHHS released two technical volumes – one for small health care organizations and another for medium and large health care organizations – and various resources and templates. The technical volumes aim to provide practical guidance to health care organizations on implementing the ten cybersecurity practices. For example, the technical volumes provide a list of the specific policies that health care organizations should have to mitigate the risk of cyberattacks, as well as the specific information that should be captured in the inventory of IT assets maintained by an organization.

Note that although compliance with this cybersecurity guidance (and similar government guidance that has been previously released) is voluntary, courts and others may look to the guidance as setting the standard for “reasonable security” in the health care industry. Therefore, health care organizations should review their current cybersecurity practices against those outlined in the guidance and consider how to address any identified gaps.

DHHS is also expected to release a Cybersecurity Practices Assessments Toolkit, intended to help organizations prioritize their cyber threats and develop an action plan. The Toolkit is still under development but DHHS states an advance copy can be obtained by contacting CISA405d@hhs.gov.

The HICP and related resources are available here.

Disclaimer

This blog is made available by Foley & Lardner LLP (“Foley” or “the Firm”) for informational purposes only. It is not meant to convey the Firm’s legal position on behalf of any client, nor is it intended to convey specific legal advice. Any opinions expressed in this article do not necessarily reflect the views of Foley & Lardner LLP, its partners, or its clients. Accordingly, do not act upon this information without seeking counsel from a licensed attorney. This blog is not intended to create, and receipt of it does not constitute, an attorney-client relationship. Communicating with Foley through this website by email, blog post, or otherwise, does not create an attorney-client relationship for any legal matter. Therefore, any communication or material you transmit to Foley through this blog, whether by email, blog post or any other manner, will not be treated as confidential or proprietary. The information on this blog is published “AS IS” and is not guaranteed to be complete, accurate, and or up-to-date. Foley makes no representations or warranties of any kind, express or implied, as to the operation or content of the site. Foley expressly disclaims all other guarantees, warranties, conditions and representations of any kind, either express or implied, whether arising under any statute, law, commercial use or otherwise, including implied warranties of merchantability, fitness for a particular purpose, title and non-infringement. In no event shall Foley or any of its partners, officers, employees, agents or affiliates be liable, directly or indirectly, under any theory of law (contract, tort, negligence or otherwise), to you or anyone else, for any claims, losses or damages, direct, indirect special, incidental, punitive or consequential, resulting from or occasioned by the creation, use of or reliance on this site (including information and other content) or any third party websites or the information, resources or material accessed through any such websites. In some jurisdictions, the contents of this blog may be considered Attorney Advertising. If applicable, please note that prior results do not guarantee a similar outcome. Photographs are for dramatization purposes only and may include models. Likenesses do not necessarily imply current client, partnership or employee status.