Department of Health and Human Services Releases Cybersecurity Guidelines

March 22, 2019

In December 2018, the Department of Health and Human Services (HHS) released its Health Industry Cybersecurity Practices, a set of voluntary cybersecurity guidelines for the private sector that leverages the National Institute of Standards and Technology (NIST) Cybersecurity Framework to address cybersecurity issues across health care organizations of all sizes.

The HHS guidance, required by the Cybersecurity Act of 2015, breaks organizations into small, medium, or large categories based on their size, recommending best practices and how they should be applied by each type of organization. The guidelines also highlight the most prevalent threats to health care organizations, including phishing, ransomware, equipment or data theft, insider threats to data, and attacks against connected medical devices. HHS includes real-world scenarios to illustrate risks, including the example of attackers using an email that appears to be from a credit card company to trick a health care organization into downloading malware.

The report describes 10 practices to mitigate cybersecurity threats to health care practices:

  • Email protection systems
  • Endpoint protection systems
  • Access management
  • Data protection and loss prevention
  • Asset management
  • Network management
  • Vulnerability management
  • Incident response
  • Medical device security
  • Cybersecurity policies

In addition to the practices, the document includes sub-practices tailored to different types of organizations. You can read the full guidance document at:

(This story was sourced from the following article: