HHS Releases Voluntary Cybersecurity Practices for Health Industry

The Department of Health and Human Services on Friday released a publication containing voluntary cybersecurity practices to healthcare organizations ranging in size from local clinics to large hospital systems.

Titled “Health Industry Cybersecurity Practices: Managing Threats and Protecting Patients,” the four-volume publication is the result of a two-year public-private partnership between HHS and healthcare industry professionals. According to a press statement from HHS, more than 150 cybersecurity and healthcare experts participated in the effort, which was mandated through the Cybersecurity Act of 2015.

“Cybersecurity is everyone’s responsibility. It is the responsibility of every organization working in healthcare and public health,” Janet Vogel, HHS Acting Chief Information Security Officer said in a statement. “In all of our efforts, we must recognize and leverage the value of partnerships among government and industry stakeholders to tackle the shared problems collaboratively.”

The guidance is a mixture of highly technical solutions and common sense practices applicable to a wide range of healthcare facilities. The core of the document explores the five most relevant threats to the healthcare industry and recommends 10 cybersecurity practices to mitigate them. It also emphasizes the importance of moving quickly to address these threats.

“The healthcare industry is truly a varied digital ecosystem. We heard loud and clear through this process that providers need actionable and practical advice, tailored to their needs, to manage modern cyber threats,” said Erik Decker, industry co-lead and Chief Information Security and Privacy Officer for the University of Chicago Medicine. “That is exactly what this resource delivers; recommendations stratified by the size of the organization, written for both the clinician as well as the IT subject matter expert.”