Health Care Providers: Looking to Improve Your Cybersecurity Compliance?

If you are a health care organization interested in improving your cybersecurity, then we have some good news for you. On December 28, 2018, the U.S. Department of Health and Human Services (“HHS”) published technical guidance for small, medium, and large health care organizations looking to voluntarily improve their cybersecurity.  The publication includes four parts: (1) a main document examining the common cybersecurity threats and vulnerabilities that affect the health care industry, including five specific threats and best practices to mitigate those threats; (2) technical volume 1, which discusses cybersecurity practices for small health care organization; (3) technical volume 2, which discusses cybersecurity practices for medium and large health care organizations; and (4) resources and templates for health care providers to reference.

This guidance was drafted by over 150 healthcare and cybersecurity experts who made up a Task Group convened by HHS in response to the requirements of the Cybersecurity Act of 2015. The Task Group’s goal was to collaborate between HHS and industry stakeholders to develop “practical, understandable, implementable, industry-led, and consensus-based voluntary cybersecurity guidelines to cost-effectively reduce cybersecurity risks for health care organizations of varying sizes.” The publication focuses on the five most prevalent cybersecurity threats, and it provides guidance on 10 cybersecurity practices to help health care organizations improve their cybersecurity.

The publication identifies the five most prevalent cybersecurity threat to health care organizations as: (1) email phishing attacks, (2) ransomware attacks, (3) loss or theft of equipment or data, (4) accidental or intentional data loss, and (5) attacks against connected medical devices that may affect patient safety.  To combat these threats, the technical publication for small providers offers guidance on implementing 10 cybersecurity practices: (1) email protection systems, (2) endpoint protections systems, (3) access management, (4) data protection and loss prevention, (5) asset management, (6) network management, (7) vulnerability management, (8) incident response, (9) medical device security, and (10) cybersecurity policies.  The technical publication for medium to large providers provides guidance on the same concepts, but the practical guidance is scaled to account for the larger organizational structures and operational systems.  The Task Group is currently developing a Cybersecurity Practices Assessment Toolkit, but allows for providers to obtain an advance copy by contacting the Task Group at [email protected] .

The important thing to remember is that these guidelines are voluntary. However, it is unknown how HHS may rely on these guidelines in the future. Under the HIPAA Security Rule, covered entities and business associates must have reasonable safeguards in place to ensure appropriate protection of protected health information (“PHI”). There have been few generally accepted standards for protecting PHI in the diverse health care industry, and the law and regulations were written to provide for flexibility across the industry when protecting PHI. However, it is possible that HHS could rely on this guidance as a standard when determining industry best practices or whether reasonable safeguards are being implemented to ensure appropriate protection of PHI.

Contact McCarty Law’s health law attorneys if you have questions about this guidance or if you would like more information.

The following two tabs change content below.

Lindsey Croasdale

Health Law and Business & Corporate Law Attorney at McCarty Law LLP
Lindsey focuses her practice on regulatory compliance and corporate transactions in health care as she assists her clients in understanding and navigating health care policies.