On December 28, 2018, a Task Group that includes U.S. Department of Health and Human Services (“HHS”) personnel and private-sector health care industry leaders published new guidance for health care organizations on cybersecurity best practices. The guidance—Health Industry Cybersecurity Practices: Managing Threats and Protecting Patients—is voluntary and creates no legal obligations. It is targeted to health care providers, payors, pharmaceutical companies, and medical device manufacturers.
This publication is among the most comprehensive and detailed guidance now available to the health care industry on cybersecurity. While voluntary, the prescriptive advice and scalable tools in the new guidance may be a valuable resource for legal, compliance, IT, and information security professionals at health care organizations. Organizations that follow this guidance may decrease the likelihood that they will suffer a costly data breach, and in the event of a breach may be able to point to compliance with the guidance to show that they have implemented reasonable cybersecurity practices, thereby helping to defend against private lawsuits or government enforcement actions.
This alert briefly describes the background and key takeaways from the guidance. Gibson Dunn is available to answer any questions you may have about how this guidance applies to your organization, as well as any other topics related to cybersecurity or privacy in the health care industry.
The health care industry is a primary target for attacks by cyber-criminals. The threat is especially critical because by at least one measure the average cost of a data breach in the health sector is $408 per record, almost double that of the next highest industry. In recent years, moreover, HHS’s Office for Civil Rights (“OCR”)—the office charged with enforcing the Health Insurance Portability and Accountability Act of 1996 (“HIPAA”)—has demonstrated an increasing willingness to bring enforcement actions against even reputable and respected organizations that have suffered a data breach.
The new guidance comes against this backdrop and as the result of the Cybersecurity Act of 2015, which required HHS to issue guidance through a “trusted platform and tighter partnership between the United States government and the private sector.” Under Section 405(d) of the Act, industry and government leaders formed a Task Group in May 2017 to create a set of “voluntary, consensus-based principles and practices to ensure cybersecurity in the Health Care and Public Health (HPH) sector.” This guidance is the result of 18 months of work by the Task Group.
Recognizing that it would be impossible to address every cybersecurity challenge in a single publication, the Task Group focused on five prevalent cybersecurity threats: 1) e-mail phishing attacks, 2) ransomware attacks, 3) loss or theft of equipment or data, 4) insider, accidental or intentional data loss, and 5) attacks against connected medical devices that may affect patient safety. For each of the five high risk cybersecurity threats, the guidance describes the risk, lists specific vulnerabilities and the potential effects of these vulnerabilities, and offers a list of “practices to consider” to help minimize the threat.
The Task Group then identified a set of voluntary best practices and organized them into ten categories:
- E-mail Protection Systems
- Endpoint Protection Systems
- Access Management
- Data Protection and Loss Prevention
- Asset Management
- Network Management
- Vulnerability Management
- Incident Response
- Medical Device Security
- Cybersecurity Policies
Information regarding each of these practice categories is detailed in two supplementary technical volumes—one addressing the needs of small organizations and the other addressing the requirements of medium and large organizations—as well as a supplemental volume of additional resources and templates. The guidance also provides a toolkit for determining and prioritizing the cybersecurity practices that would be most effective, which can be used to assist organizations in conducting a cybersecurity risk assessment.
The specific practices identified in the guidance are not intended to replace existing regulatory requirements or frameworks (such as the HIPAA Security Rule or the NIST Cybersecurity Framework). Instead, they are intended to be a supplemental resource for health care organizations, with the goal of “rais[ing] the cybersecurity floor across the health care industry.” Specific application and resource allocation will be up to each organization, and the guidance recognizes that each organization will need to tailor cybersecurity practices to its specific size, complexity, and type. The guidance provides a chart to assist in determining these categorizations. Importantly, the guidance does not authorize any causes of action or grounds for regulatory enforcement.
Because of the long shadow of HIPAA, the health care industry has long been among the most heavily-regulated industries when it comes to cybersecurity practices. This new guidance offers an additional tool that health care organizations can use to gauge the adequacy of their systems and their preparedness for a cyber attack. Given that HHS OCR is simultaneously seeking comments on how it might update HIPAA’s requirements, and the explosion of enforcement activity and lawsuits related to cybersecurity and privacy more generally, health care organizations would be well-served to evaluate this guidance and refine or enhance their plans to address cybersecurity issues that regulators and plaintiffs are likely to examine increasingly in the years to come.
 Id. at 9.
 See, e.g., Press Release, Department of Health and Human Services, Anthem Pays OCR $16 Million in Record HIPAA Settlement Following Largest U.S. Health Data Breach in History (Oct. 15, 2018), Press Release, Department of Health and Human Services, Five breaches add up to millions in settlement costs for entity that failed to heed HIPAA’s risk analysis and risk management rules (Feb. 1, 2018).
 Health Industry Cybersecurity Practices: Managing Threats and Protecting Patients, at 4.
 Id. at 6.
 Id. at 26.
 Id. at 11.
 See Request for Information on Modifying HIPAA Rules to Improve Coordinate Care, 83 Fed. Reg. 64,302 (Dec. 14, 2018).
The views, opinions and positions expressed within all posts are those of the author alone and do not represent those of the Program on Corporate Compliance and Enforcement (PCCE) or of New York University School of Law. PCCE makes no representations as to the accuracy, completeness and validity of any statements made on this site and will not be liable for any errors, omissions or representations. The copyright of this content belongs to the author and any liability with regards to infringement of intellectual property rights remains with the author.