As the health care sector continues to be a target of cyberattacks, the Department of Health and Human Services (DHHS) released new guidance to protect health care organizations from cyberattacks. This guidance is a result of the recommendations from a task force of cyber security and health care industry experts convened to comply with the mandate in the Cybersecurity Act of 2015.
DHHS states that the goal of the guidance is to:
- cost-effectively reduce cybersecurity risks for a range of health care organizations;
- support the voluntary adoption and implementation of its recommendations; and
- ensure, on an ongoing basis that content is actionable, practical, and relevant to health care stakeholders of every size and resource level.
The publication focuses on addressing email phishing, ransomware, loss or theft of data, insider threats and targeted attacks against connected medical devices. Among its many recommendations, the guidance states that health care organizations (of any size) should have e-mail protection systems, network management, cybersecurity policies, and data protection and loss prevention.
DHHS Deputy Secretary Eric Hargan explained that “cyberattacks are especially concerning because these attacks can directly threaten not just the security of our systems and information but also the health and safety of American patients.”
While compliance with this guidance is voluntary, health care entities should begin to implement the best practices provided in the guidance, as it is likely that the guidance recommendations will become the new standard of security in the health care industry.