HHS Offers Cybersecurity Best Practices for the Health Sector

Published: January 10, 2019

CybersecurityHealth CareHealth IT

In late December, HHS released a cybersecurity guide for the health industry meant to serve both IT and non-IT professionals.

The health sector is a prime target for cyber bad actors, which puts not only health related IT systems and data at risk, but also the health and safety of citizens. For these reasons, HHS in conjunction with industry and government partners, including 150 health care and cybersecurity experts, produced the Health Industry Cybersecurity Practices: Managing Threats and Protecting Patients document to guide health organizations in implementing IT security best practices.  

Development of the guide was in part due to a requirement in the Cybersecurity Act of 2015 (CSA) which mandates the alignment of health care industry security approaches.  The collaborative task group came together in May 2017 to address this requirement under the law. The resulting document reflects the group’s recommendations.

According to the publication, its goal “is to foster awareness, provide practices, and move towards consistency within the health care and public health sector in mitigating the current most impactful cybersecurity threats.”

Closely following NIST’s Cybersecurity Framework, the guide presents “voluntary, consensus-based principles and practices” meant to improve information security in the health sector. The document focuses on “the five most prevalent cybersecurity threats and the ten cybersecurity practices” promising the most significant impact to mitigate them in the health care arena.

The five threats explored in cybersecurity guide are:

  • E-mail phishing attacks
  • Ransomware attacks
  • Loss or theft of equipment or data
  • Insider, accidental or intentional data loss
  • Attacks against connected medical devices that may affect patient safety

The ten practices specified to mitigate these threats include:

  • E-mail protection systems
  • Endpoint protection systems
  • Access management
  • Data protection and loss prevention
  • Asset management
  • Network management
  • Vulnerability management
  • Incident response
  • Medical device security
  • Cybersecurity policies

According to the publication, $6.2B was lost by the U.S. health care system in 2016 due to data breaches.  Such statistics should compel health related organizations to take action to shore up their cybersecurity. Companies, vendors and contractors that offer cybersecurity products and services should take advantage of the new HHS cybersecurity guide as a means to help them promote their solutions to public health organizations, health care providers, labs and the medical community.