The 10 things HHS says you should be doing to stop phishing, ransomware and other threats

HHS has published a Guidance on cybersecurity for healthcare organizations. Even though it’s voluntary, the new HHS Guidance is significant to the extent it lays out the agency’s expectations of the measures medical offices and other organizations should take to protect medical data from cybersecurity threats.

How the Guidance came about

The genesis of the Guidance is a law called Cybersecurity Act of 2015 (CSA), Section 405(d) of which directs HHS to develop practical, healthcare industry-aligned cybersecurity guidelines to help providers reduce cybersecurity risks cost-effectively. To implement the Section 405(d) mandate, the CSA established a Task Group made up of over 150 healthcare and cybersecurity industry experts and government agency representatives. Starting in May 2017, the Task Group began working to develop a framework of voluntary, consensus-based principles and practices to provide healthcare entities with a better understanding of cybersecurity risks and mitigation strategies. 

What the Guidance covers

Issued on Dec. 28, 2018, the Guidance is the fruit of the Task Group’s labor offering practical cybersecurity strategies to healthcare organizations of all types and sizes. It’s made up of several documents, the main one titled Health Industry Cybersecurity Practices: Managing Threats and Protecting Patients (HICP), which identifies and explores five of the “most relevant and current threats to the industry”:

• E-mail phishing attacks;
• Ransomware attacks;
• Loss or theft of equipment or data;
• Insider, accidental or intentional data loss; and
• Attacks against connected medical devices that may affect patient safety.

The Guidance’s 10 recommendations

The Guidance outlines 10 cybersecurity practice recommendations that healthcare organizations should implement to minimize the five threats, including:

1. E-mail protection systems;
2. Endpoint protection systems;
3. Access management measures;
4. Data protection and loss prevention measures;
5. Asset management systems;
6. Network management systems;
7. Vulnerability management systems;
8. Incident response policies and procedures;
9. Medical device security measures; and
10. Cybersecurity policies.

The Guidance lists 88 sub-practice recommendations for implementing the 10 required measures based on the attributes and size of the organization. Accordingly, the Guidance recommends that small healthcare organizations implement 19 or more sub-practices, medium organizations implement 36 or more, and large organizations implement all 88.

The New HHS Cybersecurity Guidance is set out in four documents, including:

1. Health Industry Cybersecurity Practices: Managing Threats and Protecting Patients listing five of the “most relevant and current threats to the industry”
2. Technical Volume 1 discussing cybersecurity practices for small healthcare organizations
3. Technical Volume 2 discussing cybersecurity practices for medium and large healthcare organizations
4. Resources and Templates listing cybersecurity resources and templates

Editor’s picks:
A dozen cybersecurity tips for mobile device users	Six security tips for Cybersecurity Awareness Month	5 essential steps to ensure an effective HIPAA program