As a result of ongoing efforts under the Cybersecurity Act of 2015, the Department of Health and Human Services (HHS) has partnered with public and private sector entities to develop guidance for healthcare entities seeking to prevent/address cybersecurity incidents. In December 2018, HHS issued Health Industry Cybersecurity Practices: Managing Threats and Protecting Patients which provides education regarding cybersecurity issues facing healthcare providers as well as suggested best practices to address them.
In this guidance document HHS describes current cybersecurity threats to health care entities, including:
-
Email phishing attacks
-
Ransomware
-
Loss or theft of equipment/data
-
Insider accidental/intentional data loss
-
Attacks against connected medical devices
HHS provides tips for assessing a health care entity’s vulnerability to these threats as well as recommended actions to take to prevent such attacks from succeeding. The guidance document includes descriptions of specific incidents which brought hospitals and smaller practices to a halt. HHS cautions that smaller health care entities should not assume they will not be targeted and cites outside studies which found that 58% of malware attack victims are small businesses and that 60% of small businesses go out of business within six months of attacks.
Most health care entities are required by the Health Insurance Portability and Accountability Act (HIPAA) to have in place policies and procedures to protect electronic protected health information (ePHI) and prevent cybersecurity incidents. Among other things, HIPAA requires training of a healthcare entity’s workforce regarding cybersecurity incident prevention. This guidance would be a very useful tool for anyone creating/updating their HIPAA training program. This guidance can also help providers looking for more effective ways to protect the security of patient PHI and to meet HIPAA Privacy and Security Rule requirements.
