On Dec. 28, 2018, the U.S. Department of Health and Human Services (HHS) announced the release of voluntary cybersecurity practices and tools for the healthcare industry. The documents were the result of Section 405(d) of the Cybersecurity Act of 2015 and developed by a task group of 103 members and tested by more than 120 stakeholders, including clinicians and IT professionals.

That federal law required HHS to develop guidelines and best practices in collaboration with the Secretary of Homeland Security, National Institute of Standards and Technology (NIST), healthcare industry stakeholders and others. The practices are required to be consistent with NIST standards, as well as HIPAA and the HITECH Act, and should be updated on a regular basis. The documents include a primary overview publication that explores current threats and how to mitigate them. They also include two technical volumes – one for small healthcare organizations and one for medium and large organizations- that discuss cybersecurity practices for those entities.

The task group also provided a number of resources and templates, including suggestions for listing and prioritizing threats, draft policies and links to a number of third party resources.