HHS Unveils New Cybersecurity Guide

Joseph Hold, Natasha Kohne, Michelle Reed
Akin Gump Strauss Hauer & Feld LLP
Contact
LinkedIn
Facebook
X
Send
Embed

Akin Gump Strauss Hauer & Feld LLP

The U.S. Department of Health and Human Services (HHS) continues to play a central role in helping health care organizations defend against cybersecurity threats, issuing cybersecurity briefs and a new cybersecurity framework over the last 60 days.

On April 6, 2023, HHS warned health care organizations of the cybersecurity threat posed to Electronic Medical/Health Records (EMRs/EHRs). This latest threat briefing is one of the first issued to health care organizations under HHS’s new cybersecurity framework (and follows its previous briefing on “Data Exfiltration trends in Healthcare”).

In addition to specific briefings on key cyber risk areas, HHS unveiled a new framework through the agency’s Administration for Strategic Preparedness and Response (ASPR) to assist health care organizations with responding to cyber threats. This new guide—the Cybersecurity Implementation Guide—is the product of a public-private partnership designed to improve cyber risk management in an era of rising cyberattacks in the health care space.

The guide contains a series of voluntary best practices for helping health care organizations address cybersecurity risks to items like patient data, intellectual propriety, medical device manufacture and research. These practices cover risk identification and management, access control and supply chain monitoring, along with corporate board management of cyber risk management programs. The guide emphasizes the importance of boards approaching cybersecurity as an enterprise-wide risk management issue, instead of merely an IT issue.

With this guide, HHS seeks to help public and private health care organizations align their information security programs with the Cybersecurity Framework developed by the National Institute of Standards and Technology (NIST). NIST recently released a proposed update for the framework in January, along with a new framework for artificial intelligence (AI) (see here for more details on this AI framework).

ASPR developed the guide jointly with the Health Sector Coordinating Council Cybersecurity working group (which includes health care companies, hospitals and industry groups), with input from NIST and other federal agencies. This project follows the White House National Cybersecurity Strategy announcement earlier in March calling for private-public cooperation against cyber threats to critical infrastructure.

The health care sector is a particularly prime target for cyber threat actors, and guidance like this can help organizations plug gaps in their defenses.

Send Print Report

DISCLAIMER: Because of the generality of this update, the information provided herein may not be applicable in all situations and should not be acted upon without specific legal advice based on particular situations.

© Akin Gump Strauss Hauer & Feld LLP | Attorney Advertising

Written by:

Akin Gump Strauss Hauer & Feld LLP
Akin Gump Strauss Hauer & Feld LLP
Contact
more
less

Akin Gump Strauss Hauer & Feld LLP on:

Reporters on Deadline

"My best business intelligence, in one easy email…"

Your first step to building a free, personalized, morning email brief covering pertinent authors and topics on JD Supra:
Sign Up Log in
*By using the service, you signify your acceptance of JD Supra's Privacy Policy.
Custom Email Digest
- hide
- hide