With Healthcare ‘Under Constant Cyberattack,’ HHS Releases Guidance


Posted January 7, 2019

The U.S. Department of Health and Human Services (HHS) released a four-volume report just before the start of the new year that outlined ways healthcare delivery organizations, from local clinics to large hospital systems, can reduce their risk from the most common cybersecurity threats. These threats include email phishing, ransomware, and attacks against connected medical devices.

“We are under constant cyberattack in the health sector, and no organization can escape that reality,” wrote HHS Deputy Secretary Eric Hargan in Health Industry Cybersecurity Practices: Managing Threats and Protecting Patients. “This publication is the result of the collaborative work HHS and its industry partners embarked on more than a year ago—namely, the development of practical, understandable, implementable, industry-led, and consensus-based voluntary cybersecurity guidelines to cost-effectively reduce cybersecurity risks for healthcare organizations of varying sizes.”

This effort, which was mandated by the Cybersecurity Act of 2015, brought together more than 150 cybersecurity and healthcare experts to identify the most prevalent threats and the industry-leading practices that could “significantly move the needle.” These practices include:

  • Email and endpoint protection systems
  • Access management
  • Data protection and loss prevention
  • Asset management
  • Network management
  • Vulnerability management
  • Incident response
  • Medical device security
  • Cybersecurity policies

“To thwart these attacks before they occur, it is essential for healthcare organizations to establish, implement, and maintain current and effective cybersecurity practices,” wrote Health Sector Government Coordinating Council co-leads Erik Decker, privacy officer for the University of Chicago Medicine, and Julie Chua, manager of HHS Risk Management. “We do not expect the practices provided in this publication to become a de facto set of requirements that all organizations must implement. Such a dogmatic approach is not effective given the dynamic nature of cybersecurity threats and the fast pace of technology evolution and adoption.”

In addition to the main report, the publication includes two technical volumes geared toward information technology (IT) and IT security professionals. Technical Volume 1 focuses on cybersecurity practices for small healthcare delivery organizations (HDOs), while Technical Volume 2 focuses on practices for medium and large HDOs. The fourth volume provides resources and templates that organizations can use to assess their cybersecurity posture, as well develop appropriate policies and procedures.