The Department of Health and Human Services (HHS) released a healthcare cybersecurity guide on Friday in an effort to create consistency in mitigating cyber threats.
The department describes the voluntary guidelines, titled ‘Health Industry Cybersecurity Practices: Managing Threats and Protection Patients’, as “cost-effective methods that a range of healthcare organizations at every size and resource level can use to reduce cybersecurity risks”.
The guidance consists of four different volumes that each address a different topic, including one for small healthcare organizations, one for medium and large providers, another with resources and templates for end users, and a fourth for cybersecurity best practices surrounding threats and protecting patients.
The volumes dedicated to small, medium and large healthcare organizations are geared toward IT and security professionals.
“The healthcare industry is truly a varied digital ecosystem. We heard loud and clear through this process that providers need actionable and practical advice, tailored to their needs, to manage modern cyber threats,” said Erik Decker, industry co-lead and Chief Information Security and Privacy Officer for the University of Chicago Medicine. “That is exactly what this resource delivers: recommendations stratified by the size of the organization, written for both the clinician as well as the IT subject matter expert.”
The publication was drafted following a two-year partnership with over 150 cybersecurity and healthcare experts, according to Health Data Management.
“Cybersecurity is everyone’s responsibility,” said Janet Vogel, HHS Acting Chief Information Security Officer. “It’s the responsibility of every organization working in healthcare and public health. In all of our efforts, we must recognize and leverage the value of partnerships among government and industry stakeholders to tackle the shared problems collaboratively.”
The core of the guide includes five current threats facing the industry and ten best practices for mitigating these threats.
The five current threats include:
- E-mail phishing attack
- Loss or theft of equipment or data
- Insider, accidental or intentional data loss
- Attacks against connected medical devices that may affect patient safety
The ten practices for mitigating cyber threats include:
- E-mail protection systems
- Endpoint protection systems
- Access management
- Data protection and loss prevention
- Asset management
- Network management
- Vulnerability management
- Incident response
- Medical device security
- Cybersecurity policies
The guidance also provides real-life events and statistics that explain the cost and risks cyber threats pose to patient care.