ARTICLE
15 January 2019

DHHS Releases Guidance On Managing Cybersecurity Threats In The Health Care Sector

FL
Foley & Lardner

Contributor

Foley & Lardner logo
Foley & Lardner LLP looks beyond the law to focus on the constantly evolving demands facing our clients and their industries. With over 1,100 lawyers in 24 offices across the United States, Mexico, Europe and Asia, Foley approaches client service by first understanding our clients’ priorities, objectives and challenges. We work hard to understand our clients’ issues and forge long-term relationships with them to help achieve successful outcomes and solve their legal issues through practical business advice and cutting-edge legal insight. Our clients view us as trusted business advisors because we understand that great legal service is only valuable if it is relevant, practical and beneficial to their businesses.
Explore
The U.S. Department of Health and Human Services (DHHS) recently released Health Industry Cybersecurity Practices:
United States Technology
Photo of Jennifer L. Rathburn
Authors
To print this article, all you need is to be registered or login on Mondaq.com.

The U.S. Department of Health and Human Services (DHHS) recently released Health Industry Cybersecurity Practices: Managing Threats and Protecting Patients (HICP). DHHS states that the purpose of the HICP is to:

  1. Raise awareness of cybersecurity;
  2. Provide vetted cybersecurity practices;
  3. Move organizations towards consistency in mitigating cybersecurity threats to the sector;
  4. Aid health care and public health organizations to develop meaningful cybersecurity objectives and outcomes.

The HICP discusses five current threats: (i) e-mail phishing attacks; (ii) ransomware attacks; (iii) loss or theft of equipment or data; (iv) insider, accidental, or intentional data loss; and (v) attacks against connected medical devices that may affect patient safety. The HICP then discusses ten cybersecurity practices to mitigate those threats. In addition to the HICP, DHHS released two technical volumes – one for small health care organizations and another for medium and large health care organizations – and various resources and templates. The technical volumes aim to provide practical guidance to health care organizations on implementing the ten cybersecurity practices. For example, the technical volumes provide a list of the specific policies that health care organizations should have to mitigate the risk of cyberattacks, as well as the specific information that should be captured in the inventory of IT assets maintained by an organization.

Note that although compliance with this cybersecurity guidance (and similar government guidance that has been previously released) is voluntary, courts and others may look to the guidance as setting the standard for "reasonable security" in the health care industry. Therefore, health care organizations should review their current cybersecurity practices against those outlined in the guidance and consider how to address any identified gaps.

DHHS is also expected to release a Cybersecurity Practices Assessments Toolkit, intended to help organizations prioritize their cyber threats and develop an action plan. The Toolkit is still under development but DHHS states an advance copy can be obtained by contacting CISA405d@hhs.gov.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.

Authors
Photo of Jennifer L. Rathburn
Jennifer L. Rathburn
Your Author LinkedIn Connections
See More Popular Content From

Mondaq uses cookies on this website. By using our website you agree to our use of cookies as set out in our Privacy Policy.

Learn More