January 4, 2019
The U.S. Department of Health and Human Services has issued unpaid cybersecurity best practices for healthcare companies and rules for managing cyber threats and protecting patients.
Healthcare technologies are necessary for providing care to patients, yet those technologies introduce dangers. If those dangers are not properly managed they can lead to disruption to healthcare operations, expensive data breaches, and harm to patients.
The HHS mentions that $6.2 billion was lost by the U.S. Health Care System in 2016 as a consequence of data breaches and 4 out of 5 doctors in the United States have experienced some type of cyberattack. The average cost of a data breach for a healthcare company is now $2.2 million.
“Cybersecurity is everybody’s responsibility. It is the responsibility of every company working in healthcare and public health,” said Janet Vogel, HHS Acting Chief Information Security Officer. “In all of our efforts, we should recognize and leverage the value of partnerships among government and industry stakeholders to confront the shared problems collaboratively.”
The help and best practices – Health Industry Cybersecurity Practices (HICP): Managing Threats and Protecting Patients – were developed in reaction to a mandate in the Cybersecurity Act of 2015 Section 405(d) to issue useful guidelines to help healthcare companies cost-effectively decrease healthcare cybersecurity risks.
The guidance was developed over two years with help provided by over 150 cybersecurity and healthcare specialists from industry and the government under the Healthcare and Public Health (HPH) Sector Critical Infrastructure Security and Resilience Public-Private Partnership.
“The healthcare industry is actually a varied digital ecosystem. We heard loud and clear through this process that providers require actionable and practical advice, tailored to their requirements, to manage modern cyber threats. That is precisely what this resource provides,” said Erik Decker, industry co-lead and Chief Information Security and Privacy Officer for the University of Chicago Medicine.
Two technical volumes have also been published that summarize cybersecurity best practices for healthcare companies tailored to the size of the company: One for small healthcare suppliers such as clinics and a second volume for medium healthcare companies and big health systems. The documents contain a common set of unpaid, consensus-based, and industry-led guidelines, best practices, methodologies, processes, and procedures.
The objective of the help and best practices is threefold: To help healthcare companies decrease cybersecurity dangers to a low level in a cost-effective way, to support the voluntary adoption and application of Cybersecurity Act recommendations, and to provide practical, actionable, and relevant cybersecurity advice for healthcare companies of all sizes.
The help aims to raise the consciousness of cybersecurity dangers to the healthcare sector and help healthcare companies mitigate the most impactful cybersecurity threats: Electronic mail phishing attacks, ransomware attacks, loss/theft of equipment and data, unintentional and intentional insider data breaches, and medical device attacks that could affect patient safety.
Ten cybersecurity practices are detailed in the technical volumes to mitigate the above threats in the following areas:
- Electronic mail protection systems
- Endpoint protection systems
- Access management
- Data protection and loss prevention
- Asset management
- Network management
- Weakness management
- Incident reaction
- Medical device security
- Cybersecurity policies
A “cybersecurity practices assessments toolkit” has also been made available to help healthcare companies prioritize threats and develop action plans to mitigate those threats.
Over the next few months, the HHS will be working closely with industry stakeholders to raise the consciousness of cybersecurity threats and implement the best practices across the health sector.