The U.S. Department of Health and Human Services (“DHHS”) recently issued voluntary cybersecurity best practices for health care organizations and guidelines for managing cyber threats and protecting patients. Even though, in this author’s opinion, HIPAA is not a best practices standard but rather a lesser standard—that is, reasonable and appropriate―nothing in HIPAA precludes using a higher standard. Further, it may be wise to use a higher standard, such as these new cybersecurity best practices, if a significant threat exists to sensitive protected health information (“PHI”). And although one might quibble about whether a particular security measure is, in fact, reasonable and appropriate, if you are audited or sued, it would be extremely difficult for someone to successfully argue against you that a security measure that met the relevant best practices standard was not reasonable and appropriate.
The guidance aims to raise awareness of cybersecurity threats to the health care sector and to help health care organizations mitigate those cybersecurity threats that pose the greatest risks, such as the following: email phishing attacks, ransomware attacks, loss/theft of equipment and data, accidental and intentional insider data breaches, and medical device attacks that could affect patient safety.
In this guidance, DHHS noted that the U.S. health care system had lost $6.2 billion in 2016 as a result of data breaches and that four out of five physicians had experienced some form of cyberattack. The cost of a data breach for a health care organization now averages $2.2 million.
DHHS drafted the guidance and best practices, titled Health Industry Cybersecurity Practices (HICP): Managing Threats and Protecting Patients, in response to a mandate in the Cybersecurity Act of 2015, Section 405(d), to issue practical guidelines to help health care organizations cost-effectively reduce health care cybersecurity risks.
The guidance also consists of two technical volumes that outline cybersecurity best practices for health care organizations tailored to the size of the organization: one volume for small health care providers, such as clinics, and a second volume for medium and large health care organizations. These documents contain voluntary, consensus-based, and industry-led guidelines, best practices, methodologies, procedures, and processes.
Ten cybersecurity practices are detailed in the technical volumes to mitigate the above threats in the following areas:
- Email protection systems.
- Endpoint protection systems.
- Access management.
- Data protection and loss prevention.
- Asset management.
- Network management.
- Vulnerability management.
- Incident response.
- Medical device security.
- Cybersecurity policies.
A “cybersecurity practices assessments toolkit” is also available to help health care organizations prioritize threats and develop action plans to mitigate those threats. See “Health Industry Cybersecurity Practices: Managing Threats and Protecting Patients,” at https://www.phe.gov/Preparedness/planning/405d/Documents/HICP-Main-508.pdf. Although much of this guidance has appeared in various of my Veterans Press compliance tools, at https://www.veteranspress.com/products/hipaa-hitech-compliance-tools, and in this blog, nonetheless, this document from DHHS should be helpful, particularly in updating a covered entity’s or a business associate’s risk analysis, as required by the Evaluation Standard in HIPAA’s Administrative Safeguards, §164.308(a)(8).