New HHS Report Offers Practical Cybersecurity Guidelines and Resources for Health Care Providers and Payers

The U.S. Department of Health and Human Services (HHS) has published a report outlining best practices for health care cybersecurity. The report, entitled "Health Industry Cybersecurity Practices: Managing Threats and Protecting Patients," offers a series of recommendations for providers, payers, and others working in the health care industry. The report stresses that, for the health sector, combatting cyberattacks must be a top priority because they can threaten not just the security of data, but also the health and safety of patients. The report seeks to provide practical, understandable, and cost-effective cybersecurity guidelines to reduce cybersecurity risks.

The publication includes four volumes:

The Main Document discusses the current cybersecurity threats facing the health care industry and provides "quick tips" for addressing them;
Technical Volume 1 discusses 10 cybersecurity practices and sub-practices for small health care organizations;
Technical Volume 2 discusses 10 cybersecurity practices and sub-practices for medium-sized and large health care organizations; and
The Resources and Templates Volume provides additional resources and references to supplement the other documents.

The threats explored in the Main Document are:

Email phishing attacks;
Ransomware attacks;
Loss or theft of equipment or data;
Insider, accidental, or intentional data loss; and
Attacks against connected medical devices that may affect patient safety.

The Technical Volumes detail 10 practices to mitigate these threats:

Email protection systems
Endpoint protection systems
Access management
Data protection and loss prevention
Asset management
Network management
Vulnerability management
Incident response
Medical device security
Cybersecurity policies

The Main Document, Technical Volumes, and Resources and Templates are available here.

Contact: Karen Lipson, klipson@leadingageny.org, 518-867-8383 ext. 124