HHS Publishes Cybersecurity Best Practices for Healthcare Organizations

The U.S. Division of Health and Human Services has issued unpaid cybersecurity best practices for healthcare companies and instructions for managing cyber threats and safeguarding patients.

Healthcare technologies are vital for providing care to patients, however, those technologies introduce dangers. If those dangers are not correctly managed they can lead to interruption to healthcare operations, expensive data breaches, and damage to patients.

The HHS notices that $6.2 billion was lost by the U.S. Health Care System in 2016 as a consequence of data breaches and 4 out of 5 doctors in the United States have suffered some form of cyberattack. The average cost of a data breach for a healthcare business is presently $2.2 million.

“Cybersecurity is everybody’s duty. It is the duty of every business working in healthcare and public health,” said Janet Vogel, HHS Interim Chief Information Safety Officer. “In all of our efforts, we should accept and leverage the value of partnerships among government and industry stakeholders to address the shared problems collaboratively.”

The help and best practices – Health Industry Cybersecurity Practices (HICP): Managing Threats and Protecting Patients – were developed in reaction to an instruction in the Cybersecurity Act of 2015 Section 405(d) to issue practical advice to help healthcare companies cost-effectively decrease healthcare cybersecurity dangers.

The help was developed over two years with help provided by over 150 cybersecurity and healthcare specialists from industry and the government under the Healthcare and Public Health (HPH) Sector Critical Infrastructure Safety and Resilience Public-Private Collaboration.

“The healthcare industry is really a diverse digital ecosystem. We heard loud and clear through this procedure that suppliers require actionable and practical guidance, tailored to their requirements, to manage modern cyber threats. That is precisely what this source delivers,” said Erik Decker, industry co-lead and Chief Information Safety and Secrecy Officer for the University of Chicago Medicine.

Two technical volumes have also been issued that outline cybersecurity best practices for healthcare companies tailor-made to the size of the company: One for small healthcare suppliers such as clinics and a second volume for medium healthcare companies and big health systems. The documents contain a common set of unpaid, consensus-based, and industry-led advices, best practices, methodologies, processes, and procedures.

The purpose of the help and best practices is threefold: To assist healthcare companies to decrease cybersecurity dangers to a low level in a cost-effective way, to support the voluntary adoption and application of Cybersecurity Act advice, and to provide practical, actionable, and related cybersecurity advice for healthcare companies of all sizes.

The help aims to increase awareness of cybersecurity dangers to the healthcare sector and assist healthcare companies to alleviate the most impactful cybersecurity dangers: Electronic mail phishing attacks, ransomware attacks, loss/theft of equipment and data, unintentional and intentional insider data breaches, and medical appliance attacks that might affect patient security.

Ten cybersecurity exercises are detailed in the technical volumes to alleviate the above dangers in the following areas:

  • Electronic mail safety systems
  • Endpoint safety systems
  • Access management
  • Data safety and loss avoidance
  • Asset management
  • Network management
  • Vulnerability management
  • Incident reaction
  • Medical device safety
  • Cybersecurity plans

A “cybersecurity exercises assessments toolkit” has also been made available to assist healthcare companies to prioritize dangers and develop action plans to alleviate those dangers.

Over the next few months, the HHS will be working directly with industry stakeholders to increase awareness of cybersecurity dangers and apply the best practices across the health sector.