Cybersecurity is a significant and growing compliance risk for health care organizations. If your organization fails to protect patients from cybersecurity risks, the result could be serious fines and penalties for non-compliance with federal and state cybersecurity and data breach laws. The good news is that the U.S. Department of Health & Human Services (“HHS”) recently released voluntary cybersecurity guidance for health care organizations.
The guidelines could help you avoid a HIPAA enforcement action similar to these cybersecurity settlements:
- $750,000 University of Washington Medical School Clinic settlement for an employee opening an spam email that contained malware that allowed hackers to access records for 90,000 patients
- $650,000 University of Massachusetts Speech Language and Hearing Clinic settlement for a malware infection that resulted in the impermissible disclosure of the names, addresses, social security numbers, birth dates, health insurance information, diagnoses, and procedure codes of 1,670 individuals
- $400,000 Metro Community Provider Network federally qualified health center settlement related to a hacker accessing 3,200 patients protected health information after an email phishing incident
HHS’ recently released voluntary cybersecurity guidance for health care organizations called The Health Industry Cybersecurity Guidance (the “HICP Guidance“). It is a multi-volume publication that includes the following documents:
- Health Industry Cybersecurity Practices: Managing Threats and Protecting Patients general document (examines current cybersecurity threats and presents steps to mitigate those threats);
- Technical Volume 1: Cybersecurity Practices for Small Health Care Organizations (outlines cybersecurity best practices for smaller health care organizations with limited resources and limited access to information technology staff.);
- Technical Volume 2: Cybersecurity Practices for Medium and Large Health Care Organizations (outlines cybersecurity best practices for medium and large health care organizations with multiple sites, information technology staff, and adequate financial resources); and
- Resources and Templates (contains technical implementation recommendations for health care organization information technology staff and/or departments, and information technology resources and tools).
The Cybersecurity Act of 2015 required HHS to develop this HICP Guidance. The HICP Guidance was developed by a HHS taskforce of more than 150 public and private cybersecurity experts. The general HICP Guidance document focuses on five of “the most current and common cybersecurity threats” to the healthcare industry: (1) email phishing attacks; (2) ransomware attacks; (3) loss of theft of equipment or data; (4) insider, accidental or intentional data loss; and (5) attacks against connected medical devices that may affect patient safety.
Technical Volumes 1 and 2 of the HICP Guidance sets forth 10 cybersecurity best practices designed to help mitigate the above-identified threats: (1) email protection systems; (2) endpoint protection systems; (3) identity and access management; (4) data protection and loss prevention; (5) asset management; (6) network management; (7) vulnerability management; (8) incident response; (9) medical device security; and (10) cybersecurity policies.
Your health care organizations should use the HICP Guidance to evaluate cybersecurity risks; and may want to adopt and implement the recommended cybersecurity risk management best practices as part of your policies and procedures. The HICP Guidance is voluntary, and intended to provide practical guidance rather than to impose a regulatory mandate; however the HICP Guidance may lead to increased liability risks for health care organizations that fail to implement the recommended cybersecurity risk mitigation best practices, and could create a baseline for reasonableness in future health care organization data breach lawsuits. Members of Hinshaw & Culbertson’s Health Law Practice Group have extensive experience counseling health care organizations on HIPAA and state law privacy and cybersecurity issues. For more information please contact Michael Dowell, Esq. at (213) 614-7341, or visit the Hinshaw website.