by Ryan Bergsieker, Reid Rector, and Josiah J. Clarke

On December 28, 2018, a Task Group that includes U.S. Department of Health and Human Services (“HHS”) personnel and private-sector health care industry leaders published new guidance for health care organizations on cybersecurity best practices.[1]  The guidance—Health Industry Cybersecurity Practices: Managing Threats and Protecting Patients—is voluntary and creates no legal obligations.  It is targeted to health care providers, payors, pharmaceutical companies, and medical device manufacturers. 

This publication is among the most comprehensive and detailed guidance now available to the health care industry on cybersecurity.  While voluntary, the prescriptive advice and scalable tools in the new guidance may be a valuable resource for legal, compliance, IT, and information security professionals at health care organizations.  Organizations that follow this guidance may decrease the likelihood that they will suffer a costly data breach, and in the event of a breach may be able to point to compliance with the guidance to show that they have implemented reasonable cybersecurity practices, thereby helping to defend against private lawsuits or government enforcement actions. 

This alert briefly describes the background and key takeaways from the guidance.  Gibson Dunn is available to answer any questions you may have about how this guidance applies to your organization, as well as any other topics related to cybersecurity or privacy in the health care industry. Continue reading →