Perspective on New HHS Cybersecurity Guidance
February 11th, 2019
As healthcare organizations remain prime targets for hackers and cyberattacks, data security remains a top concern for practices and hospitals across the country. According to reports from the U.S. Office for Civil Rights (OCR), more than 13 million patients nationwide were affected by data breaches in 2018 alone. To help healthcare providers secure HIPAA-protected patient information, the U.S. Department of Health and Human Services (HHS) recently issued new guidance that outlines best practices for maintaining high-quality cybersecurity to avoid potential data breach.
This newly released guide is based on the work of a specialized task force made up on more than 150 industry and government cybersecurity and healthcare experts, and it includes four individual documents:
- Health Industry Cybersecurity Practices: Managing Threats and Protecting Patients (Main Guidance Document)
- Technical Volume 1: Cybersecurity Practices for Small Healthcare Organizations (Small Organization Guidance)
- Technical Volume 2: Cybersecurity Practices for Medium and Large Healthcare Organizations (Larger Organization Guidance)
- Resources and Templates
An accompanying Cybersecurity Practices Assessments Toolkit is currently in development, but it has not yet been finalized. Healthcare providers can receive an advance copy of this tool by emailing CISA405d@hhs.gov.
In addition to providing background information about the effects of cyberattacks and data breaches on the healthcare industry, the Main Guidance Document details five major threats to healthcare data security. For each item, the document lists related vulnerabilities, potential consequences, and practices that can help minimize the threat.
The outlined threat reduction techniques are directly tied to ten categories of cybersecurity practices (and related sub-practices) as identified by the task force. The Small Organization Guidance and Large Organization Guidance contain more in-depth discussion of these cybersecurity practices as they may relate to the size and complexity of each intended audience.
This cybersecurity guidance is a valuable tool for practices looking to implement new data security strategies or strengthen existing policies. As part of the periodic review of data privacy and security policies and procedures, practice leaders should use these documents alongside other cybersecurity guidance material published by OCR to ensure they are addressing critical threats and implementing appropriate security measures.
Data privacy and security are important issues for every healthcare organization, and practice leaders should take advantage of all available resources to develop effective policies and procedures. Medical Mutual members seeking additional assistance are encouraged to consult the HIPAA Final Rule Guide or reach out to our Claims and Risk Management Departments at 800.662.7917.
Disclaimer: This post is written in general terms and is not a substitute for legal advice or intended to create an attorney-client relationship.
Sam Cohen is Medical Mutual’s Senior Vice President of Health Policy. Medical Mutual members may contact him directly at firstname.lastname@example.org and 919.878.7602. Readers also can follow him on Twitter @samuel_c_cohen.