HHS Releases Cybersecurity Threat Mitigation Guide

Dickinson, Mackaman, Tyler & Hagen, P.C.

Dickinson, Mackaman, Tyler & Hagen, P.C.

The Department of Health and Human Services (“HHS”) has released the “Health Industry Cybersecurity Practices: Managing Threats and Protecting Patients” guide. The publication contains a comprehensive summary of cybersecurity threats for the healthcare industry, and technical details for mitigating those cybersecurity risks. The technical volumes in the publication are particularly helpful because they reference specific sections of the cybersecurity standards published by the National Institute of Standards and Technology (“NIST”). Organizations that are trying to ensure NIST compliance will therefore find the HHS guide useful in assessing their own cybersecurity preparedness.

Even though HHS produced this publication for hospitals and healthcare organizations, many of the recommendations are broadly applicable to organizations of all kinds. Many of the same procedures and practices can secure organizations across all industries from cybersecurity threats. For example, this blog has previously covered the regulatory framework produced by the New York Department of Financial Services. That framework, like the recent HHS publication, is a useful framework for all organizations that are concerned about cybersecurity preparedness. Some of the key lessons from these rules and guidance documents are:

Phishing Training. This blog has covered numerous cases where phishing schemes have led to cybersecurity incidents. Phishing is a challenging threat vector to mitigate, because unlike many other kinds of risks it is not possible to purchase hardware or software to completely eliminate the risk. Ultimately, organizations depend on their employees to identify and quarantine phishing attempts. Organizations must therefore train their employees to identify suspected phishing attempts, and avoid interacting with fraudsters.

Elevate Cybersecurity. Cybersecurity is not just an issue for the IT department. Senior leadership needs to be involved in understanding cybersecurity threats and implementing controls to reduce those risks. This could take the form of hiring a new manager or officer, or adding responsibilities to an existing position. In either case, senior management should devote time to understanding cybersecurity risks and mitigating those risks.

Conduct Vulnerability Assessments. Periodic vulnerability tests are an important part of cybersecurity. These tests can take the form of phishing tests for employees and penetration testing of an organization’s external firewalls. Cybersecurity is constantly evolving, so organizations need to make sure they are adapting to the latest set of threats.

Implement Controls. Cybersecurity depends on human judgment, which is never perfect. Organizations can expect that some employees will fall victim to a phishing scheme, so it is important that no single employee has the ability to do something that is devastating to the organization. This can mean limiting the amount of funds any single employee is capable of transferring, or limiting access to certain kinds of sensitive information. Ultimately, organizations need to purchase insurance as a final form of risk mitigation. However, as this blog has previously covered, simply buying “cyber” insurance may not mean an organization is completely covered.

Prepare for the Worst. A cybersecurity incident is not inevitable, but organizations should plan like it is. That means organizations should have an incident response plan that identifies the legal, computer forensic, and insurance professionals the organization plans to contact in the event of an incident. Organizations should review that plan from time to time to make sure that the organization is ready if an incident occurs.

Organizations today have the benefit of resources like the New York Department of Financial Services regulations and HHS’s publication to guide cybersecurity readiness. It doesn’t matter that these were prepared for financial institutions and health care organizations, because the lessons are broadly applicable to all kinds of organizations.

DISCLAIMER: Because of the generality of this update, the information provided herein may not be applicable in all situations and should not be acted upon without specific legal advice based on particular situations.

© Dickinson, Mackaman, Tyler & Hagen, P.C. | Attorney Advertising

Written by:

Dickinson, Mackaman, Tyler & Hagen, P.C.

Dickinson, Mackaman, Tyler & Hagen, P.C. on:

Reporters on Deadline

"My best business intelligence, in one easy email…"

Your first step to building a free, personalized, morning email brief covering pertinent authors and topics on JD Supra:
*By using the service, you signify your acceptance of JD Supra's Privacy Policy.
Custom Email Digest
- hide
- hide

This website uses cookies to improve user experience, track anonymous site usage, store authorization tokens and permit sharing on social media networks. By continuing to browse this website you accept the use of cookies. Click here to read more about how we use cookies.