In order to move health care organizations towards consistency in mitigating important cybersecurity threats to the health care sector, the Department of Health & Human Services (HHS) published multiple guidance documents on best practices for health care organizations to reduce cybersecurity risks (“HHS Cyber Guidance”). The HHS Cyber Guidance is the result of HHS’ public-private partnership with more than 150 cybersecurity and health care experts. While compliance is voluntary, this guidance serves as direction to health care entities on important practices that should be considered and implemented to reduce risk.

Why HHS has published this guidance

In 2015, Congress called for “Aligning Health Care Industry Security Approaches,” in Section 405(d) of the Cybersecurity Act of 2015 (CSA). As a result, the 405(d) Task Group was created, bringing together private members of the health care and cybersecurity industry with government agency representatives. Beginning in May 2017, the Task Group focused on developing a framework of voluntary, consensus-based principles and practices to provide health care entities with a better understanding of cybersecurity risks and mitigation strategies. The HHS Cyber Guidance notes that cyber attacks are becoming increasingly sophisticated and widespread and that cyber attacks on health care organizations can affect critical functions and expose patient health information and may lead to substantial financial costs and potential patient safety risks.

HHS notes that cybersecurity is increasingly top of mind for health care organizations. The publication states that 4 in 5 U.S. physicians have experienced some form of cybersecurity attack and the cost of a health care breach is currently $408 per record—the highest cost across all industries. Health care organizations have much to lose if they fall victim to a cyber attack—for example, a recent ransomware attack cost a hospital $17,000 and operational control after the hacker froze all computer systems, effectively halting all health care delivery by requiring the hospital to transfer all patients and resort to paper medical records. Health care organizations can be subject to regulatory enforcement actions after data breaches or could lose their electronic medical record systems altogether.

This Guidance marks continued agency focus on cybersecurity threats to health care organizations and an interest in improving security and safety in health care delivery. In the last year, FDA proposed guidance regarding postmarket management of cybersecurity in medical devices, as well as guidance for those submitted for premarket review.

What is in the HHS Cyber Guidance

The HHS Cyber Guidance includes an overview document aimed at health care organizations of all sizes, titled Health Industry Cybersecurity Practices: Managing Threats and Protecting Patients (HICP). HCIP identifies five of the “most relevant and current threats to the industry” and provides cybersecurity practice recommendations consistent with the NIST Cybersecurity Framework. Two technical volumes, intended for IT and/or IT security professionals, provide guidance for small, medium, and large health care organizations on developing strong cybersecurity practices. The publication also includes resources and templates that end users may reference. A “Cybersecurity Practices Assessments Toolkit” has not yet been released, but interested stakeholders may request an advance copy.

Threats and Mitigation Practices

The HICP document identifies five of the “most relevant and current threats to the industry”:

  • E-mail phishing attacks
  • Ransomware attacks
  • Loss or theft of equipment or data
  • Insider, accidental or intentional data loss
  • Attacks against connected medical devices that may affect patient safety

In response, the Task Group outlines cybersecurity practice recommendations that are consistent with the NIST Cybersecurity Framework. The NIST Framework documents practices that entities should employ during a cyber incident using the typical phases of an incident lifecycle. NIST practices fall within one of the five phases: Identify, Protect, Detect, Respond, and Recover.

The document further provides ten practice recommendations, with 88 sub-practices. The ten practice recommendations include:

  • E-mail protection systems
  • Endpoint protection systems
  • Access management
  • Data protection and loss prevention
  • Asset management
  • Network management
  • Vulnerability management
  • Incident response
  • Medical device security
  • Cybersecurity policies

Recommendations for the number of sub-practices that an organization should implement are dependent on the attributes and size of the organization. Small health care organizations are recommended to implement 19 or more sub-practices, medium organizations 36 or more, and large organizations should attempt to implement all 88. The task group acknowledges the difficulties that organizations may face in implementing the practices, but provides a step-by-step threat assessment tool in the resource documents to allow health care organizations to identify the threats that they may be most vulnerable to.

The Task Group notes that it was not feasible to address all threats or mitigations and that the publication is the first step in an iterative and ongoing process. As new threats and technologies emerge, it is anticipated that there will need to be updated information to health care organizations to guard against future cyber threats. HHS plans to work with stakeholders in the coming months to assist with implementation of the practices; however, Deputy Secretary Eric Hargan notes that HHS will continue to partner with the industry to address cybersecurity challenges and asks that anyone interested in joining the 405(d) Task Group to contact the team at CISA405d@hhs.gov.

Health care organizations should review the guidance and take an opportunity to discuss the Task Group’s recommendations and determine next steps in implementing the cybersecurity practices. For more information, please contact Jodi Daniel (jdaniel@crowell.com).