HHS releases voluntary cybersecurity guidance

The U.S. Department of Health and Human Services on Friday released the four-volume voluntary guidance for healthcare organizations titled “Health Industry Cybersecurity Practices (HICP): Managing Threats and Protecting Patients.”


Mandated under the Cybersecurity Act of 2015, the HCIP report was developed by a task force of more than 150 cybersecurity and healthcare experts.

HHS said protecting against cyberattacks is like fighting a deadly virus. It takes mobilization and coordination of resources across myriad public and private stakeholders, including hospitals, IT vendors, medical device manufacturers, and governments to minimize risks and impact.

What’s more, the average cost of a data breach per healthcare organization is $2.2 million, according to the HHS report.  

Erik Decker, industry co-lead on the publication and chief information security and privacy officer for the University of Chicago Medicine said the healthcare industry is “truly a varied digital ecosystem.”

According to Decker, the HHS task force “heard loud and clear through this process that providers need actionable and practical advice, tailored to their needs, to manage modern cyber threats.” That’s why authors of the report included recommendations for the c-suite, as well as for IT experts.  

HHS officials said that cybersecurity remains a top priority for the agency and stressed the importance of private-public partnerships — like the one used to write HICP — to protect critical infrastructure. In the coming months, HHS will work to raise awareness of the publication and to implement the suggested cybersecurity practices across the healthcare industry, officials said.

The report listed the five most relevant and current threats to the industry as phishing, ransomware, loss of theft of equipment or data, insider accidental data loss, and attacks against digital health tools.


During October we ran a special series on cybersecurity and discovered that weaponized malware, hackers holding data hostage, social engineering and spearphishing campaigns were just a few of the attacks common today.

Hospitals have the devastating task of trying to guard against the next big threat – not knowing when it will come or what it will look like. Security dashboards can be invaluable. They can showcase everything a CIO or CISO needs to know about their security posture, we wrote. CIOs and CISOs are coming to depend on their security dashboards to plan strategies and tactics.


“Cybersecurity is everyone’s responsibility,” said Janet Vogel, HHS Acting Chief Information Security Officer. “It is the responsibility of every organization working in healthcare and public health. In all of our efforts, we must recognize and leverage the value of partnerships among government and industry stakeholders to tackle the shared problems collaboratively.”

Diana Manos is a Washington, D.C.-area freelance writer specializing in healthcare, wellness and technology. 

Twitter: @Diana_Manos
Email the writer: [email protected] 

Healthcare IT News is a HIMSS Media publication. 

Source: Read Full Article