On December 28, 2018, the U.S. Department of Health and Human Services (“HHS”) closed out the year by releasing long-awaited voluntary cybersecurity guidelines for the health care industry.[1] The four-volume publication, developed in collaboration with industry partners, outlines 5 of the most prevalent cybersecurity threats and 10 cybersecurity practices to mitigate those threats. The new guidelines have caused health care organizations to begin the New Year by considering whether a new industry standard has been established for reasonable and appropriate safeguards to protect against cyber-attacks.

The guidelines are the product of the Cybersecurity Act of 2015,[2] which directed the Secretary of HHS to establish, through a collaborative process with government and health care industry stakeholders, a common set of voluntary, consensus-based, and industry-led guidelines to reduce cybersecurity risks in a cost-effective manner.[3] Significantly, the guidelines recognize that health care organizations vary significantly by size, type, technological sophistication, and availability of resources. Like the HIPAA Security Rule, the guidelines permit individual health care organizations to tailor their cybersecurity practices to their own individual needs. To help entities determine appropriate cybersecurity practices, the guidelines offer two separate technical volumes—one for small health care organizations, and one for medium and large health care organizations. As underscored by the guidelines, it is critical that each health care organization, regardless of size, evaluate its vulnerabilities to cybersecurity threats and take steps to ensure that it is reasonably protected from cyber-attacks. Hackers typically look for targets that require the least time, effort, and money to exploit. No entity, no matter how small, is safe!

The following 5 cybersecurity threats were identified as the most prevalent in health care organizations: e-mail phishing attacks; ransomware attacks; loss or theft of equipment or data, insider, accidental or intentional data loss; and attacks against connected medical devices that may affect patient safety. The guidelines recommend the following 10 cybersecurity practices to mitigate against the foregoing risks: e-mail protection systems; endpoint protection systems; access management; data protection and loss prevention; asset management; network management; vulnerability management; incident response; medical device security; and cybersecurity policies.

Cyber-attacks are an increasingly serious matter. In 2017, cyber-attacks cost small and medium-sized businesses an average of $2.2 million. And across all industries, the health care industry experiences the highest cost for data breaches, with an estimated cost of $408 per record breached in 2018 (up from $380 in 2017). Cyber-attacks can also pose serious danger to patients. As recent breaches have shown, hackers are capable of infiltrating and disrupting connected medical devices like heart monitors and freezing entire EHR systems, depriving patients of vital medical care. On top of all that, successful cyber-attacks cause serious reputational harm to affected entities.

The guidelines should remind organizational leaders that protecting against cyber-attacks is the responsibility of all workforce members, not just the IT department. Workforce members must understand and be familiar with their entities’ policies and procedures, and entities are responsible for ensuring that their workforce members are in compliance with their policies and procedures. Education and training are essential at all organizational levels to prevent cyber-attacks and respond appropriately when—not if—a cyber-attack occurs.

As health care organizations embark on their 2019 work plans, they would be well advised to consider that the cybersecurity guidelines may well signal a new industry standard for protecting against cybersecurity threats. In addition, although the cybersecurity guidelines are currently voluntary, HHS may incorporate the guidelines in its audits, or require the adoption of the guidelines in the future. The full effect of the guidelines will be determined over time as they are implemented by the health care industry and interpreted by the courts. In the meantime, and in light of the new guidelines and rising cost of cyber-attacks, is your organization ringing in the New Year by prioritizing cybersecurity on its 2019 work plan?

[1] Healthcare & Pub. Health Sector Coordinating Councils, Dep't of Health & Human Servs., Health Industry Cybersecurity Practices: Managing Threats and Protecting Patients (Dec. 28, 2018), https://www.phe.gov/Preparedness/planning/405d/Pages/hic-practices.aspx.

[2] Pub. L. No. 114-113, 129 Stat. 2242 (2015).

[3] 6 U.S.C. § 1533(d)(1).