Just before the start of the New Year, the Department of Health and Human Services issued “Health Industry Cybersecurity Practices: Managing Threats and Protecting Patients, ” a multi-volume publication that examines current cybersecurity threats affecting the Health Care and Public Health sector. The publication identifies specific weaknesses that make organizations more vulnerable to cyber threats and highlights selected practices that cybersecurity experts rank as the most effective to mitigate the threats. Because HHS recognizes that “not one size fits all” in the health care sector, the document compiles practices specific to health care organizations of varying sizes— from small physician practices to large university hospital systems. It also provides technical implementation recommendations for IT and information security professionals.

The five threats addressed in the publication include:

  • E-mail phishing attacks
  • Ransomware attacks
  • Loss or theft of equipment or data
  • Insider, accidental or intentional data loss
  • Attacks against connected medical devices that may affect patient safety

The two technical volumes (one each for small entities and larger systems) address best practices to mitigate each of the above threats. The ten practices are:

  • E-mail protection systems
  • Endpoint protection systems
  • Access management
  • Data protection and loss prevention
  • Asset management • Network management
  • Vulnerability management
  • Incident response
  • Medical device security
  • Cybersecurity policies

While the HHS publication does not mandate any of the best practices, the guidance may represent the beginning of a consensus around what a reasonable level of cybersecurity looks like in the health care environment. For health care providers, any such consensus may signify the seeds of new liabilities for entities that fail to make any effort to implement at least some of recommended best practices. At a minimum, the best practices provide some substantial baseline arguments for plaintiffs in data privacy and security lawsuits against providers that have failed to adequately protect health information. For that reason, we encourage health care providers to review the applicable volumes with an eye toward their existing cyber policies and practices while paying special attention to any gaps in security.