HHS Guidelines on Cybersecurity Best Practices for Healthcare Organisations Released
The U.S. Department of Health and Human Services has issued a four-volume publication on voluntary cybersecurity best practices for healthcare organisations.
The publication includes guidelines for managing cyber threats and protecting patients. It is hoped that the guidelines will help all organisations that handle the protected health information (PHI) and other sensitive information of patients create a robust cybersecurity framework in their organisation. The risk to healthcare data from cyberthreats is growing as hackers grow more sophisticated in their attacks. However, by adopting some simple best-practices, organisations of any size-and with a wide range of budgets-are able to efficiently mitigate the risks of becoming a victim of such an attack.
The authors of the publication note that the document “does not create new frameworks, rewrite specifications, or ‘reinvent the wheel.’ We felt that the best approach to ‘moving the cybersecurity needle’ was to leverage the NIST Cybersecurity Framework, introducing the framework’s terms to start educating health sector professionals on an important and generally accepted language of cybersecurity and answering the prevailing question: ‘Where do I start, and how do I adopt certain cybersecurity practices?’”
The HHS notes that $6.2 billion was lost by the U.S. Health Care System in 2016 as a result of data breaches. Furthermore, nearly 80% of physicians in the United States have experienced some form of cyberattack. The average cost of a data breach for a healthcare organisation is now $2.2 million. The other costs, such as reputation damage, are much more difficult to assess.
“Cybersecurity is everyone’s responsibility. It is the responsibility of every organisation working in healthcare and public health,” said Janet Vogel, HHS Acting Chief Information Security Officer. “In all of our efforts, we must recognise and leverage the value of partnerships among government and industry stakeholders to tackle the shared problems collaboratively.”
The guidance and best practices – Health Industry Cybersecurity Practices (HICP): Managing Threats and Protecting Patients – were developed in response to a mandate in the Cybersecurity Act of 2015 Section 405(d) to issue practical guidelines to help healthcare organisations cost-effectively reduce healthcare cybersecurity risks.
The guidelines were more than two years in the making. HHS consulted with more than 150 cybersecurity and healthcare experts from industry and the government under the Healthcare and Public Health (HPH) Sector Critical Infrastructure Security and Resilience Public-Private Partnership.
“The healthcare industry is truly a varied digital ecosystem. We heard loud and clear through this process that providers need actionable and practical advice, tailored to their needs, to manage modern cyber threats. That is exactly what this resource delivers,” said Erik Decker, industry co-lead and Chief Information Security and Privacy Officer for the University of Chicago Medicine.
Two technical volumes have also been published that outline cybersecurity best practices for healthcare organisations tailored to the size of the organisation, to address their specific needs and differing abilities to tackle threats: One for small healthcare providers such as clinics and a second volume for medium healthcare organisations and large health systems. The documents contain a common set of voluntary, consensus-based, and industry-led guidelines, best practices, methodologies, procedures, and processes.
The aim of the guidance and best practices is threefold: To help healthcare organisations reduce cybersecurity risks to a low level in a cost-effective manner, to support the voluntary adoption and implementation of Cybersecurity Act recommendations, and to provide practical, actionable, and relevant cybersecurity advice for healthcare organisations of all sizes.
According to Greg Garcia, the executive director of cybersecurity for the Healthcare and Public Sector Coordinating Council, said “The practices, mapped to the NIST Cybersecurity Framework, are scalable and flexible, and we believe that if every healthcare organisation adopts these practices over time, we will see uniform improvement in our collective cyber preparedness and resilience.”
Ten cybersecurity practices are detailed in the technical volumes to mitigate the above threats in the following areas:
E-mail protection systems
Endpoint protection systems
Data protection and loss prevention
Medical device security
A “cybersecurity practices assessments toolkit” has also been made available to help healthcare organisations prioritise threats and develop action plans to mitigate those threats.
Following the publication of the guidelines, the HHS will be working closely with industry stakeholders to raise awareness of cybersecurity threats and implement the best practices across the health sector.