HHS publishes guide on cybersecurity practices

Senior News Director

The Department of Health and Human Services published a guide of cybersecurity practices with the aim of reducing the growing risk from cyberattacks. The recommendations are just that — suggestions to be instituted voluntarily.

“Health Industry Cybersecurity Practices: Managing threats and protecting patients” stems from the Cybersecurity Act of 2015. Section 405(d) called for an alignment of security approaches across the healthcare industry.

In that vein, HHS and the 405(d) Task Group spent more than a year tapping into the expertise of 150 public and private healthcare and cybersecurity experts through the Health Sector Coordinating Council. The task group focused on current threats, weaknesses and effective cybersecurity practices.

Last week, the task group published its four-volume guide. Rather than reinvent the wheel, the guide builds off the NIST Cybersecurity Framework with the aim of helping healthcare CIOs move the cybersecurity needle. Indeed, one of the guide’s unmistakable themes is the criticality of educating everyone in an organization on how to fight against cyber threats. As Janet Vogel, HHS acting chief information officer, said in a press release announcing the news, “Cybersecurity is everyone’s responsibility.”

The guide’s first volume details five of the most widespread cybersecurity threats healthcare organizations face. It uses easy-to-understand language, for example, describing email phishing attacks as “an attempt to trick you, a colleague or someone else in the workplace into giving out information using e-mail.” The first volume also includes real-world scenarios, quick tips on how to keep the threats at bay and, in table form, the potential vulnerabilities that may exist within an organization and the corresponding cybersecurity practices to consider.

The second and third volumes are “technical volumes” broken down by organization size. One provides detail on the ten recommended cybersecurity practices for small healthcare organizations and the other for mid-sized and large healthcare organizations.

The cybersecurity practices are not listed in any order. Instead, the resource is meant to provide “flexibility for an organization to determine its unique security posture, through a risk assessment or other assessment, and to determine how to prioritize and allocate resources,” according to the guide.

The final volume is a collection of additional resources that may come in handy.

And if healthcare CIOs need it, the guide makes a compelling case as to why cybersecurity should be top of mind for anyone in the C-suite. Healthcare organizations are increasingly facing ransomware attacks, where crucial data is sometimes held hostage, and the cost of data breaches continues to rise. According to survey results from IBM Security and Ponemon Institute, the cost for a healthcare data breach rose $28 per record between 2017 and 2018 from $380 to $408.