The Department of Health and Human Services (HHS) observes that the US healthcare system lost $6.2 billion dollars as a result of data breaches in 2016 and that 4 out of 5 US physicians have experienced some form of cyber-attack1. The over-arching message from HHS is – don’t be a victim of poor security.
HHS in partnership with the healthcare industry has released “Health Industry Cybersecurity Practices (HICP): Managing Threats and Protecting Patients” (December 28, 2018)2. This four-volume publication addresses voluntary, best cybersecurity practices for healthcare organizations of all sizes. It can be accessed here3. The publication includes the main document, two technical volumes, and resources and templates. The technical volumes are geared to small and medium/large organizations specifically.
This new resource helps interpret what should be “industry standard” cybersecurity and appears to suggest that at a minimum, organizations should take into account ten specific areas within a cyber program (described below). The resource should not be read to override other healthcare security obligations (such as under the Health Insurance Portability and Accountability Act (HIPAA)) but may help fill interpretation gaps where there’s discretion on how to meet a specific HIPAA security standard. It may also be grounds to show lack of reasonable security in support of legal claims under other laws beyond HIPAA.
The new resource recommends the following ten cybersecurity practices to help mitigate cyber threats generally, but will necessarily vary in implementation based on the nature of the organization, its systems, equipment and type and amount of sensitive data handled:
- E-mail protection systems
- Endpoint protection systems
- Access management
- Data protection and loss prevention
- Asset management
- Network management
- Vulnerability management
- Incident response
- Medical device security
- Cybersecurity policies
According to the new resource, it is up to the individual organization to prioritize among these practices following a security assessment of where it stands on these matters. Covered entities and their business associates under HIPAA may take advantage of HHS’s “Security Risk Assessment” tool available here4 to help with this process, which is already required of them under the HIPAA Security Rule.
The new resource provides real-world scenarios, practical guidance, and resources to help organizations align their practices with the National Institute of Standards and Technology (NIST) Cybersecurity Framework’s five steps - identity, protect, detect, respond, and recover- with respect to better managing cyber threats. This new resource, by its own account, did not intend to “recreate the wheel” and leverages the NIST framework. The resource was prepared in partnership with the industry through a public-private taskforce, as a requirement under Section 405(d) of the Cybersecurity Act of 2015. The taskforce expects to regularly update the resource to reflect evolving threats. Work on tools within the “resources and templates” portion of the resource also appears to be ongoing. For organizations seeking to be more involved with what HHS (in cooperation with the industry) recommends for cybersecurity, the task force that generated this resource still welcomes participants by contacting CISA405d@hhs.gov.
1. See HHS’s “Health Industry Cybersecurity Practices (HICP): Managing Threats and Protecting Patients” available at https://www.phe.gov/Preparedness/Planning/405d/Documents/HICP-Main-508.pdf (last visited January 10, 2019).
2. https://www.hhs.gov/about/news/2018/12/28/hhs-in-partnership-with-industry-releases-voluntary-cybersecurity-practices-for-the-health-industry.html (last visited January
3. The link is https://www.phe.gov/Preparedness/planning/ 405d/Pages/hic-practices.aspx (last visited January 10, 2019).
4. The link is https://www.healthit.gov/topic/privacy-security-and-hipaa/security-risk-assessment (last visited January 10, 2019).