On December 28, 2018, the U.S. Department of Health and Human Services (“HHS”) published the “Health Industry Cybersecurity Practices (HICP): Managing Threats and Protecting Patients” (“Guidelines”). The Guidelines were developed in response to a mandate of the Cybersecurity Act of 2015 to develop cybersecurity guidelines to reduce cybersecurity risks for health care organizations.
The Guidelines consist of the following four separate documents:
- The Main Document, which provides an in-depth look at the five most relevant and current cybersecurity threats to the health care industry. These threats include e-mail phishing attacks, ransomware attacks, loss or theft of equipment or data, insider, accidental or intentional data loss and attacks against connected medical devices that may affect patient safety. The Guidelines enumerate various strategies to mitigate these threats, including e-mail protection systems, access management, network management and various other strategies.
- Technical Volume 1, which addresses cybersecurity practices for small health care organizations
- Technical Volume 2, which addresses cybersecurity practices for medium and large health care organizations.
- Resources and Templates Volume, which provides resources and templates to support an organization’s assessment of its current cybersecurity program and to present several template policies and procedures.
The Guidelines provide health care organizations of all types and sizes with information on cybersecurity practices. Cyber threats to patient information continuously evolve and regulatory enforcement continues to focus on data security matters. In the recent years numerous HHS enforcement actions involved non-compliance with the HIPAA Security Rule. Thus, it is important for health care organizations to be vigilant in their efforts to protect patient information and to ensure compliance with the HIPAA Security Rule. Health care organizations can use the Guidelines as a helpful resource in their cybersecurity compliance efforts.