HHS Issues Voluntary Cybersecurity Guidance for Health Care Orgs
Dubbed 'Health Insurance Cybersecurity Practices: Managing Threats and Protecting Patients,' the four-volume publication is the culmination of a two-year effort by 150 government and private health care and cybersecurity experts.
January 04, 2019 at 01:00 AM
3 minute read
The original version of this story was published on Corporate Counsel
In 2016, $6.2 billion was lost by U.S. health care systems because of data breaches, according to a new report by the U.S. Department of Health and Human Services. But the department is aiming to reduce that figure by providing voluntary cybersecurity practices to health care organizations of all sizes.
Dubbed “Health Insurance Cybersecurity Practices: Managing Threats and Protecting Patients,” the four-volume publication is the culmination of a two-year effort by 150 government and private health care and cybersecurity experts. The task force's work was legislatively mandated by a 2015 federal law that charges the group with analyzing and making recommendations regarding securing and protecting the health care sector against cybersecurity incidents.
“Given the increasingly sophisticated and widespread nature of cyberattacks, the health care industry must make cybersecurity a priority and make the investments needed to protect its patients,” the report stated.
The two volumes of the report discuss the 10 cybersecurity practices and subpractices for small health care organizations and medium-sized and large health care businesses, respectively. Both are intended for IT and/or IT security professionals.
“It is tempting for those who own a health care practice or are part of a small-to-medium–sized health care organization to think that cyberattacks only affect large hospitals and health care organizations,” the report said. “However, attackers [who targeted the health care industry] focused on smaller targets, resulting in a lower number of leaked records in that industry.”
A third portion of the report provides resources and templates, while its 36-page, anecdote- and statistic-laden main document discusses the current cybersecurity threats facing the health care industry and issues a call to action for the health care industry, especially executive decision makers, with the goal of raising general awareness of the issue.
“Like combatting a deadly virus, cybersecurity requires mobilization and coordination of resources across myriad public and private stakeholders, including hospitals, IT vendors, medical device manufacturers, and governments (state, local, tribal, territorial, and federal) to mitigate the risks and minimize the impacts of a cyberattack,” it said.
The document, its authors added, “does not create new frameworks, re-write specifications, or 'reinvent the wheel.'”
Rather, it attempts to “move the cybersecurity needle” by starting to “educate health sector professionals on an important and generally accepted language of cybersecurity and answering the prevailing question, 'Where do I start and how do I adopt certain cybersecurity practices?'”
Part of that process, the main document said, is understanding five of the most current and common cybersecurity threats to health care organizations, which the report identified as: e-mail phishing attack; ransomware attack; loss or theft of equipment or data; insider, accidental or intentional data loss; and attacks against connected medical devices that may affect patient safety.
“These threats can affect organizations in various parts of a hospital and in different health care settings,” according to the report. “Cyberattacks can happen anywhere, any time.”
This content has been archived. It is available through our partners, LexisNexis® and Bloomberg Law.
To view this content, please continue to their sites.
Not a Lexis Subscriber?
Subscribe Now
Not a Bloomberg Law Subscriber?
Subscribe Now
NOT FOR REPRINT
© 2024 ALM Global, LLC, All Rights Reserved. Request academic re-use from www.copyright.com. All other uses, submit a request to [email protected]. For more information visit Asset & Logo Licensing.
You Might Like
View AllAI Startup Valued at $850 Million Hires Former Google AI Policy Lead as GC
Vanderbilt Law AI Lab Co-Founders Discuss Gen AI's A2J Impact: 'It's Up to Us'
8 minute readHow an Eight-Figure Verdict Helped Spur Transformation in This Legal Department
1 minute readJohnson & Johnson, IBM Targeted in Class Action Over Health Care Data Breach
2 minute readTrending Stories
Who Got The Work
Dechert partners Andrew J. Levander, Angela M. Liu and Neil A. Steiner have stepped in to defend Arbor Realty Trust and certain executives in a pending securities class action. The complaint, filed July 31 in New York Eastern District Court by Levi & Korsinsky, contends that the defendants concealed a 'toxic' mobile home portfolio, vastly overstated collateral in regards to the company's loans and failed to disclose an investigation of the company by the FBI. The case, assigned to U.S. District Judge Pamela K. Chen, is 1:24-cv-05347, Martin v. Arbor Realty Trust, Inc. et al.
Who Got The Work
Arthur G. Jakoby, Ryan Feeney and Maxim M.L. Nowak from Herrick Feinstein have stepped in to defend Charles Dilluvio and Seacor Capital in a pending securities lawsuit. The complaint, filed Sept. 30 in New York Southern District Court by the Securities and Exchange Commission, accuses the defendants of using consulting agreements, attorney opinion letters and other mechanisms to skirt regulations limiting stock sales by affiliate companies and allowing the defendants to unlawfully profit from sales of Enzolytics stock. The case, assigned to U.S. District Judge Andrew L. Carter Jr., is 1:24-cv-07362, Securities and Exchange Commission v. Zhabilov et al.
Who Got The Work
Clark Hill members Vincent Roskovensky and Kevin B. Watson have entered appearances for Architectural Steel and Associated Products in a pending environmental lawsuit. The complaint, filed Aug. 27 in Pennsylvania Eastern District Court by Brodsky & Smith on behalf of Hung Trinh, accuses the defendant of discharging polluted stormwater from its steel facility without a permit in violation of the Clean Water Act. The case, assigned to U.S. District Judge Gerald J. Pappert, is 2:24-cv-04490, Trinh v. Architectural Steel And Associated Products, Inc.
Who Got The Work
Michael R. Yellin of Cole Schotz has entered an appearance for S2 d/b/a the Shoe Surgeon, Dominic Chambrone a/k/a Dominic Ciambrone and other defendants in a pending trademark infringement lawsuit. The case, filed July 15 in New York Southern District Court by DLA Piper on behalf of Nike, seeks to enjoin Ciambrone and the other defendants in their attempts to build an 'entire multifaceted' retail empire through their unauthorized use of Nike’s trademark rights. The case, assigned to U.S. District Judge Naomi Reice Buchwald, is 1:24-cv-05307, Nike Inc. v. S2, Inc. et al.
Who Got The Work
Sullivan & Cromwell partner Adam S. Paris has entered an appearance for Orthofix Medical in a pending securities class action arising from a proposed acquisition of SeaSpine by Orthofix. The suit, filed Sept. 6 in California Southern District Court, by Girard Sharp and the Hall Firm, contends that the offering materials and related oral communications contained untrue statements of material fact. According to the complaint, the defendants made a series of misrepresentations about Orthofix’s disclosure controls and internal controls over financial reporting and ethical compliance. The case, assigned to U.S. District Judge Linda Lopez, is 3:24-cv-01593, O'Hara v. Orthofix Medical Inc. et al.
Featured Firms
Law Offices of Gary Martin Hays & Associates, P.C.
(470) 294-1674
Law Offices of Mark E. Salomone
(857) 444-6468
Smith & Hassler
(713) 739-1250