DHHS Publishes Cybersecurity Guidance for Health Care Organizations

In late December, 2018, the Department of Health and Human Services (HHS) published the “Health Industry Cybersecurity Practices (HICP): Managing Threats and Protecting Patients,” with the intention of reducing cybersecurity risks through the use practical, cost-effective cybersecurity guidelines. Pursuant to Section 405(d) of the 2015 Cybersecurity Act, HHS created the Task Group, a group of over 150 health care and cybersecurity experts, to develop industry-led, implementable, and voluntary cybersecurity practices in order to minimize cybersecurity attacks, and the burden thereof, to the health care industry. The Task Group determined that it was impossible to identify and address every existing cybersecurity challenge, and therefore chose to highlight the five most pressing cybersecurity threats and the ten cybersecurity practices likely to have significant protective effects within the health care industry.

Top Five Cybersecurity Threats

(1)        Email phishing attacks: an attempt to trick users into giving out information using email, which generally includes an active link or file. Task Group-identified vulnerabilities include:

  • Lack of awareness training
  • Lack of IT resource for managing suspicious emails
  • Lack of email software for scanning and detection of malicious content

Based on these and other identified vulnerabilities, the Task Group suggests that health care organizations:

  • Train staff to recognize suspicious emails and to know where to forward them
  • Never open email attachments from unknown senders
  • Tag external emails to make them recognizable to staff

(2)        Ransomware attacks: Ransomware is a type of malware that attempts to deny access to a user’s data, usually by encrypting the data with a key known only to the hacker who deployed the malware, until a ransom is paid. Task Group-identified vulnerabilities include:

  • Lack of system backup
  • Lack of anti-phishing capabilities
  • Lack of anti-malware detection and remediation tools

Based on these and other identified vulnerabilities, the Task Group suggests that health care organizations:

  • Use strong/unique username and passwords with multi-factor authentication
  • Limit users who can log in from remote desktops
  • Limit the rate of allowed authentication attempts to thwart brute-force attacks

(3)        Loss or theft of equipment or data: In cases where the lost or stolen device was not appropriately protected, the loss may result in unauthorized or illegal access, dissemination, and use of sensitive data. Task Group-identified vulnerabilities include:

  • Lack of asset inventory and control
  • Lack of encryption
  • Lack of physical security practices and simple safeguards

Based on these and other identified vulnerabilities, the Task Group suggests that health care organizations:

  • Encrypt sensitive data
  • Implement a safeguards policy for mobile devices supplemented with ongoing user awareness training on securing these devices
  • Develop a procedure to clean sensitive data from every device before it is retired, refurbished, or resold

(4)       Insider, Accidental, or Intentional Data Loss: An accidental insider threat is an unintentional loss caused by honest mistakes, procedural errors, or a degree of negligence. Alternatively, an intentional insider threat is malicious loss or theft caused by a user of the organization’s technology infrastructure, network, or databases, with an objective of personal gain or inflicting harm to the organization. Task Group-identified vulnerabilities include:

  • Lack of adequate monitoring, tracking, and auditing of access to PHI through EHR
  • Lack of technical controls to monitor the transfer of sensitive data
  • Lack of training about social engineering and phishing attacks

Based on these and other identified vulnerabilities, the Task Group suggests that health care organizations:

  • Train staff and IT users on data access and financial control procedures
  • Utilize workforce access auditing of health record systems and sensitive data
  • Utilize privileged access management tools to report access to critical technology infrastructure and systems

(5)       Attacks against connected medical devices that may affect patient safety: Such attacks may have broad operational impacts and may compromise patient safety. Task Group-identified vulnerabilities include:

  • Patches not implemented promptly
  • Equipment not current, or legacy equipment that is outdated
  • Heterogeneity of medical devices means that the vulnerability identification and remediation process is complex and resource intensive

Based on these and other identified vulnerabilities, the Task Group suggests that health care organizations:

  • Assess current security controls on networked medical devices
  • Engage information security as a stakeholder in clinical procurements
  • Use a template for contract language with medical device manufacturers and others

Ten Practice Categories to Mitigate Cybersecurity Threats

The HICP also includes two technical volumes: Technical Volume 1 is designed for small health care organizations, while Technical Volume 2 is designed for medium and large health care organizations. Both volumes present the ten practices listed below, each of which is accompanied by a series of sub-practices and implementation recommendations. A health care organization should first determine whether it qualifies as a small, medium, or large organization in order to refer to the applicable volume, and then refer to Appendix E of the HICP for assistance in navigating which sub-practices will be most protective for its purposes. The top ten practice categories to mitigate cybersecurity threats are: (1) Email protection systems; (2) Endpoint protection systems; (3) Access management; (4) Data protection and loss prevention; (5) Asset management; (6) Network management; (7) Vulnerability management; (8) Incident response; (9) Medical device security; and (10) Cybersecurity policies.

Importantly, the Co-Lead authors of this publication stress that they do not intend for the practices set forth to become a mandatory set of requirements for all organizations, as a one-size-fits-all approach will not be effective given the nature of the health care industry and how quickly cybersecurity threats evolve and adapt. Given the frequency with which such attacks occur, however, and the disruptions to the provision of care and costs they incur, it is important for health care organizations to use the tools provided by the HICP to conduct self-assessments and identify their biggest weaknesses in order to take the steps necessary to fortify themselves against the greatest cybersecurity threats.


Please do not hesitate to contact Steve Johnson, Esq. (sjohnson@kozakgayer.com), Mike Burian, Esq. (mburian@kozakgayer.com), or Taylor Fawns, Esq. (tfawns@kozakgayer.com), at (207) 621-4390 if you have questions regarding this new guidance, or if you would like our assistance in reviewing and updating your policies and procedures to ensure that they are in alignment with the practices recommended in the HICP.