Share this article on:
The U.S. Department of Health and Human Services has issued voluntary cybersecurity best practices for healthcare organizations and guidelines for managing cyber threats and protecting patients.
Healthcare technologies are essential for providing care to patients, yet those technologies introduce risks. If those risks are not properly managed they can result in disruption to healthcare operations, costly data breaches, and harm to patients.
The HHS notes that $6.2 billion was lost by the U.S. Health Care System in 2016 as a result of data breaches and 4 out of 5 physicians in the United States have experienced some form of cyberattack. The average cost of a data breach for a healthcare organization is now $2.2 million.
“Cybersecurity is everyone’s responsibility. It is the responsibility of every organization working in healthcare and public health,” said Janet Vogel, HHS Acting Chief Information Security Officer. “In all of our efforts, we must recognize and leverage the value of partnerships among government and industry stakeholders to tackle the shared problems collaboratively.”
The guidance and best practices – Health Industry Cybersecurity Practices (HICP): Managing Threats and Protecting Patients – were developed in response to a mandate in the Cybersecurity Act of 2015 Section 405(d) to issue practical guidelines to help healthcare organizations cost-effectively reduce healthcare cybersecurity risks.
The guidance was developed over two years with assistance provided by more than 150 cybersecurity and healthcare experts from industry and the government under the Healthcare and Public Health (HPH) Sector Critical Infrastructure Security and Resilience Public-Private Partnership.
“The healthcare industry is truly a varied digital ecosystem. We heard loud and clear through this process that providers need actionable and practical advice, tailored to their needs, to manage modern cyber threats. That is exactly what this resource delivers,” said Erik Decker, industry co-lead and Chief Information Security and Privacy Officer for the University of Chicago Medicine.
Two technical volumes have also been published that outline cybersecurity best practices for healthcare organizations tailored to the size of the organization: One for small healthcare providers such as clinics and a second volume for medium healthcare organizations and large health systems. The documents contain a common set of voluntary, consensus-based, and industry-led guidelines, best practices, methodologies, procedures, and processes.
The aim of the guidance and best practices is threefold: To help healthcare organizations reduce cybersecurity risks to a low level in a cost-effective manner, to support the voluntary adoption and implementation of Cybersecurity Act recommendations, and to provide practical, actionable, and relevant cybersecurity advice for healthcare organizations of all sizes.
The guidance aims to raise awareness of cybersecurity threats to the healthcare sector and help healthcare organizations mitigate the most impactful cybersecurity threats: Email phishing attacks, ransomware attacks, loss/theft of equipment and data, accidental and intentional insider data breaches, and medical device attacks that could affect patient safety.
Ten cybersecurity practices are detailed in the technical volumes to mitigate the above threats in the following areas:
- E-mail protection systems
- Endpoint protection systems
- Access management
- Data protection and loss prevention
- Asset management
- Network management
- Vulnerability management
- Incident response
- Medical device security
- Cybersecurity policies
A “cybersecurity practices assessments toolkit” has also been made available to help healthcare organizations prioritize threats and develop action plans to mitigate those threats.
Over the next few months, the HHS will be working closely with industry stakeholders to raise awareness of cybersecurity threats and implement the best practices across the health sector.