New Cybersecurity Guidance for the Health Care Industry (and Last Call for HIPAA Rule Comments)

Katten Muchin Rosenman LLP

We discuss below two important updates impacting health care industry clients.

Important New Cybersecurity Guidance for the Health Care Industry

The US Department of Health and Human Services (HHS) has released an important new set of cybersecurity guidance documents for health care organizations of all types and sizes. Created by a task group comprised of cybersecurity and health care industry representatives from the public and private sectors, the guidance provides voluntary, consensus-based guidelines and best practices intended to "significantly move the needle" on five prevalent cybersecurity threats: e-mail phishing attacks; ransomware attacks; theft or loss of equipment or data; insider (accidental or intentional) data loss; and attacks on connected medical devices.

The guidance then recommends 10 cybersecurity practices that experts agree are effective in mitigating these threats:

  • E-mail protection systems;
  • Endpoint protection systems;
  • Access management;
  • Data protection and loss prevention;
  • Asset management;
  • Network management;
  • Vulnerability management;
  • Incident response;
  • Medical device security; and
  • Cybersecurity policies.

Helpfully, there are separate "technical" volumes (intended for information technology and security professionals) tailoring the 10 recommended cybersecurity practices to small organizations (such as a sole practitioner physician) and medium and large health care organizations (such as a sophisticated academic medical center), in an effort to make the information more actionable to organizations with varying levels of complexity and resources.  There is no one-size-fits-all solution to cybersecurity, and the practices are presented as   recommendations. These practices align with the outcomes listed in the National Institute of Standards and Technology (NIST) Cybersecurity Framework.

The guidance is not intended to introduce new regulatory requirements, and implementation of the recommendations does not guarantee compliance with the Health Insurance Portability and Accountability Act of 1996 (HIPAA) or other laws. However, the guidance is intended to (and no doubt will) push the industry toward greater consistency in how these critical cyber threats are addressed. Organizations should carefully review the guidance in the context of their overall cybersecurity program.

To obtain a copy of the guide, titled "Health Industry Cybersecurity Practices: Managing Threats and Protecting Patients," please click here.

Want to Improve HIPAA? HHS is Accepting Public Comments Until February 12

HHS's Office for Civil Rights (OCR) is continuing to accept feedback from the public, via a Request for Information (RFI), on how to improve HIPAA's Privacy and Security Rules (the HIPAA Rules)1 in order to better promote coordinated, value-based health care and improve the process for sharing information.2

In particular, the RFI seeks recommendations on how to generally improve the HIPAA Rules, as well as focuses on specific areas, which include:

■ Promoting information sharing for treatment and care coordination and/or case management;

■ Encouraging the sharing of treatment information with parents and caregivers of adults facing health emergencies—especially related to the opioid crisis;

■ Implementing the accounting of disclosures from an electronic health record for treatment, payment and health care operations; and

■ Eliminating or modifying the requirement for health care providers to obtain a patient's written acknowledgment of receipt of the Notice of Privacy Practices.

To obtain a copy of the RFI, please click here

1 See Department of Health and Human Services, Request for Information on Modifying HIPAA Rules to Improve Coordinated Care, Vol. 83 Federal Register No. 240, December 14, 2018, 64302;

2 See HHS Press Release, HHS seeks public input on improving care coordination and reducing the regulatory burdens of the HIPAA Rules, December 12, 2018,

DISCLAIMER: Because of the generality of this update, the information provided herein may not be applicable in all situations and should not be acted upon without specific legal advice based on particular situations.

© Katten Muchin Rosenman LLP | Attorney Advertising

Written by:

Katten Muchin Rosenman LLP

Katten Muchin Rosenman LLP on:

Reporters on Deadline

"My best business intelligence, in one easy email…"

Your first step to building a free, personalized, morning email brief covering pertinent authors and topics on JD Supra:
*By using the service, you signify your acceptance of JD Supra's Privacy Policy.
Custom Email Digest
- hide
- hide

This website uses cookies to improve user experience, track anonymous site usage, store authorization tokens and permit sharing on social media networks. By continuing to browse this website you accept the use of cookies. Click here to read more about how we use cookies.