The U.S. Department of Health and Human Services (DHHS) recently released Health Industry Cybersecurity Practices: Managing Threats and Protecting Patients (HICP). DHHS states that the purpose of the HICP is to:
The HICP discusses five current threats: (i) e-mail phishing attacks; (ii) ransomware attacks; (iii) loss or theft of equipment or data; (iv) insider, accidental, or intentional data loss; and (v) attacks against connected medical devices that may affect patient safety. The HICP then discusses ten cybersecurity practices to mitigate those threats. In addition to the HICP, DHHS released two technical volumes – one for small health care organizations and another for medium and large health care organizations – and various resources and templates. The technical volumes aim to provide practical guidance to health care organizations on implementing the ten cybersecurity practices. For example, the technical volumes provide a list of the specific policies that health care organizations should have to mitigate the risk of cyberattacks, as well as the specific information that should be captured in the inventory of IT assets maintained by an organization.
Note that although compliance with this cybersecurity guidance (and similar government guidance that has been previously released) is voluntary, courts and others may look to the guidance as setting the standard for “reasonable security” in the health care industry. Therefore, health care organizations should review their current cybersecurity practices against those outlined in the guidance and consider how to address any identified gaps.
DHHS is also expected to release a Cybersecurity Practices Assessments Toolkit, intended to help organizations prioritize their cyber threats and develop an action plan. The Toolkit is still under development but DHHS states an advance copy can be obtained by contacting CISA405d@hhs.gov.
The HICP and related resources are available here.