News & Resources

Publications & Media

Do the New Health Cybersecurity Guidelines Set a New Standard for Reasonable and Appropriate Safeguards?

Data Privacy & Security Alert Meghan C. O'Connor

Nothing says happy holidays and happy New Year like a four-volume cybersecurity publication. On December 28, 2018, the U.S. Department of Health and Human Services (HHS) released the Health Industry Cybersecurity Practices (HICP): Managing Threats and Protecting Patients publication. The publication outlines the top five cybersecurity threats facing the health care industry, offers 10 practices to mitigate those threats, and provides a call-to-action to prioritize cybersecurity for patient safety and take timely proactive and preventative steps to improve cybersecurity posture.

The publication, released by HHS in partnership with industry and government cybersecurity and health care experts, is a set of voluntary cybersecurity practices for health care organizations of all types and sizes. According to HHS Deputy Secretary Eric Hargan (as noted in the HICP), the publication is intended to be a practical, understandable, implementable, industry-led, and consensus-based set of voluntary cybersecurity guidelines for health care organizations of varying sizes (from local clinics to regional hospitals systems and large health care systems).

The publication discusses threats such as phishing and ransomware attacks, loss/theft of equipment or data, accidental or intentional loss of data, and attacks against connected devices. After discussing current threats in Volume 1, the publication turns to its two technical volumes—one each targeted at small and medium/large health care organizations. In each technical volume, the publication offers recommended mitigation practices such as e-mail and endpoint protection systems, access management, asset and network management, vulnerability management, incident response, medical device security, and cybersecurity policies. The publication also leaves room for a forthcoming toolkit appendix still under development.

The publication will be a good roadmap and guide for addressing voluntary improvements to health care organizations’ cybersecurity compliance programs, including important technical and policy updates. The guidelines add technical context to the relatively general physical, technical, and administrative safeguard regulatory language.

While the guidelines are voluntary, there is certainly potential that they may be used as best practice or a new standard for what constitutes reasonable and appropriate safeguards and security practices in the health care industry. The publication itself notes that it was intended to be consensus-based. As such, will health care organizations expect their vendors and business associates to meet these guidelines? Further, will regulators (e.g., HHS Office for Civil Rights [OCR]) and courts look to these guidelines as industry standard (e.g., negligence for failing to act reasonably and follow the guidelines)? Will OCR consider implementation of—or failure to implement—the guidelines as contributing or mitigating factors in a settlement or breach investigation?

Time will tell how the guidelines will be used by the industry, regulators, and the courts. However, it is reasonable to expect that health care organizations—and entities that support the health care industry—should expect to see these guidelines getting attention and being referenced as a compliance/audit standard in cybersecurity addenda and business associate agreements similar to the way we currently see National Institute of Standards and Technology (NIST) standards.

The publication is focused on the health care industry, but it is targeted to patient-facing organizations; it focuses on cybersecurity as a patient safety need for small to large practices and hospitals. The publication does not expressly address recommendations targeted to health care organizations—or business associates—that are not patient-facing (e.g., labs, pharmaceutical industry). While the first volume (HICP) in particular is provider focused, the technical volumes offer sound recommendations that can be adapted to a variety of entities across the health care industry.

As the industry has time to digest these guidelines, we are likely to get a better sense as to how they will be implemented and disseminated throughout the industry, from providers to business associates to non-patient facing health care entities (and beyond the health care industry). Time will also give us a better sense as to how regulators and courts will view the guidelines. We may well be seeing our next industry standard for reasonable and appropriate cybersecurity safeguards in the health care industry (and beyond).

For questions about analyzing and implementing any of these recommendations, your health cybersecurity program, or this update, please contact: