Gibson, Dunn & Crutcher LLP law firm cited the U.S. Department of Health and Human Services (HHS) December 28, 2018, publication of Health Industry Cybersecurity Practices: Managing Threats and Protecting Patients, a product of the Healthcare & Public Health Sector Coordinating Councils’ Public Private Partnership. The publication notes a Disclaimer:
“This document is provided for informational purposes only. Use of this document is neither required by nor guarantees compliance with federal, state, or local laws. Please note that the information presented may not be applicable or appropriate for all health care providers and organizations. This document is not intended to be an exhaustive or definitive source on safeguarding health information from privacy and security risks.”
“The goal of the publication is to foster awareness, provide practices, and move towards consistency … in mitigating the current more impactful cybersecurity threats:
- E-mail phishing attacks
- Ransomware attacks
- Loss or theft of equipment or data
- Insider, accidental, or intentional data loss
- Attacks against connected [networked] medical devices that may affect patient safety.”
Accompanying the publication are two technical volumes that provide cybersecurity practices for:
- Volume 1: Small organizations.
- Volume 2: Medium and large organizations.
Each volume is then organized by effective practices to address specific threats, as appropriate:
- E-mail protection systems
- Endpoint protection systems
- Access management
- Data protection and loss protection
- Asset management
- Network management
- Vulnerability management
- Incident response
- Medical device security
- Cybersecurity policies.
Across the ten practices are 88 sub-practices, with implementation recommendations.
Gibson Dunn refers to Health Industry Cybersecurity Practices: Managing Threats and Protecting Patients as “among the most comprehensive and detailed guidance now available to the health care industry on cybersecurity.” For defining cybersecurity practices to thwart or mitigate threat attacks, CAIPHI recommends that it and the technical volumes be used along with the content of the NIST Cybersecurity Framework and NIST Draft Special Publication 800-53- Revision 5, each of which is provided by HIPAA Security Rule Administrative, Physical, and Technical standard/implementation specification in CyPHIcomplyTM.