DHHS Releases Guidance on Managing Cybersecurity Threats in the Health Care Sector | Blogs | Health Care Law Today

The U.S. Department of Health and Human Services (DHHS) recently released Health Industry Cybersecurity Practices: Managing Threats and Protecting Patients (HICP). DHHS states that the purpose of the HICP is to:

Raise awareness of cybersecurity;
Provide vetted cybersecurity practices;
Move organizations towards consistency in mitigating cybersecurity threats to the sector;
Aid health care and public health organizations to develop meaningful cybersecurity objectives and outcomes.

The HICP discusses five current threats: (i) e-mail phishing attacks; (ii) ransomware attacks; (iii) loss or theft of equipment or data; (iv) insider, accidental, or intentional data loss; and (v) attacks against connected medical devices that may affect patient safety. The HICP then discusses ten cybersecurity practices to mitigate those threats. In addition to the HICP, DHHS released two technical volumes – one for small health care organizations and another for medium and large health care organizations – and various resources and templates. The technical volumes aim to provide practical guidance to health care organizations on implementing the ten cybersecurity practices. For example, the technical volumes provide a list of the specific policies that health care organizations should have to mitigate the risk of cyberattacks, as well as the specific information that should be captured in the inventory of IT assets maintained by an organization.

Note that although compliance with this cybersecurity guidance (and similar government guidance that has been previously released) is voluntary, courts and others may look to the guidance as setting the standard for “reasonable security” in the health care industry. Therefore, health care organizations should review their current cybersecurity practices against those outlined in the guidance and consider how to address any identified gaps.

DHHS is also expected to release a Cybersecurity Practices Assessments Toolkit, intended to help organizations prioritize their cyber threats and develop an action plan. The Toolkit is still under development but DHHS states an advance copy can be obtained by contacting CISA405d@hhs.gov.

The HICP and related resources are available here.

This blog is made available by Foley & Lardner LLP (“Foley” or “the Firm”) for informational purposes only. It is not meant to convey the Firm’s legal position on behalf of any client, nor is it intended to convey specific legal advice. Any opinions expressed in this article do not necessarily reflect the views of Foley & Lardner LLP, its partners, or its clients. Accordingly, do not act upon this information without seeking counsel from a licensed attorney. This blog is not intended to create, and receipt of it does not constitute, an attorney-client relationship. Communicating with Foley through this website by email, blog post, or otherwise, does not create an attorney-client relationship for any legal matter. Therefore, any communication or material you transmit to Foley through this blog, whether by email, blog post or any other manner, will not be treated as confidential or proprietary. The information on this blog is published “AS IS” and is not guaranteed to be complete, accurate, and or up-to-date. Foley makes no representations or warranties of any kind, express or implied, as to the operation or content of the site. Foley expressly disclaims all other guarantees, warranties, conditions and representations of any kind, either express or implied, whether arising under any statute, law, commercial use or otherwise, including implied warranties of merchantability, fitness for a particular purpose, title and non-infringement. In no event shall Foley or any of its partners, officers, employees, agents or affiliates be liable, directly or indirectly, under any theory of law (contract, tort, negligence or otherwise), to you or anyone else, for any claims, losses or damages, direct, indirect special, incidental, punitive or consequential, resulting from or occasioned by the creation, use of or reliance on this site (including information and other content) or any third party websites or the information, resources or material accessed through any such websites. In some jurisdictions, the contents of this blog may be considered Attorney Advertising. If applicable, please note that prior results do not guarantee a similar outcome. Photographs are for dramatization purposes only and may include models. Likenesses do not necessarily imply current client, partnership or employee status.

Author(s)

Jennifer L. Urban

Partner

jurban@foley.com

Jennifer J. Hennessy

Partner

jhennessy@foley.com

Related Services

Sectors

Health Care & Life Sciences

Practice Areas

Health Care

Insights

The Future of Venture Debt

17 March 2023 | 12:04 p.m. CT

Innovative Technology Insights

Ripple Effect of Recent Bank Insolvencies on Real Estate

16 March 2023 | 11:58 a.m. CT

Innovative Technology Insights

Travelodge Hotels, Inc. v. Durga, LLC: A Case Study on How to Document Compliance Obligations under Franchise Agreements

16 March 2023

FTC Issues Guidance on AI-Powered Products

16 March 2023

Foley Ignite

Jennifer Hennessy Discusses Cybersecurity Concerns for Health Care Industry

17 March 2023

Bloomberg Law

Jack Lord Discusses Murky Legal Landscape on Pronoun Misuse

15 March 2023

Law360

Lyman Thai Discusses High-Tech Career, Guiding Cutting-Edge Clients

15 March 2023

Of Counsel

Mark Hebbeln and Susan Poll Klaessy Author Chapter in 2023 Edition of Environmental Law in Corporate and Real Estate Transactions

15 March 2023

Threats of Antitrust Enforcement in the Supply Chain

18 May 2023

Webinar

DTC Healthcare Conference: How to Build and Scale a Multistate DTC Telemedicine Company

28 April 2023

New York

Stewarding ESG in the Mobility Supply Chain

26 April 2023

Zoom Meeting

CXO Forum

18 April 2023

East Palo Alto, CA