Department of Health and Human Services Releases Cybersecurity Guidelines

March 22, 2019

In December 2018, The Department of Health and Human Services (HHS) released its Health Industry Cybersecurity Practices, a set of voluntary cybersecurity guidelines for the private sector that leverages the National Institute of Standards and Technology (NIST) Cybersecurity Framework to address cybersecurity issues across healthcare organizations of all sizes.

The guidance, required by the Cybersecurity Act of 2015 breaks organizations into small, medium, or large categories, and offers best practices and how they apply to each type of organization. The guidance also highlights the most prevalent threats to healthcare organizations, including phishing, ransomware, equipment or data theft, insider threats to data, and attacks against connected medical devices. HHS included real-world scenarios to illustrate risks, including the example of attackers using an email that appears to be from a credit card company to trick a healthcare organization into downloading malware.

The 10 identified practices are:

  • Email protection systems
  • Endpoint protection systems
  • Access management
  • Data protection and loss prevention
  • Asset management
  • Network management
  • Vulnerability management
  • Incident response
  • Medical device security
  • Cybersecurity policies

In addition to the practices, the document includes sub-practices tailored to different types of organizations. You can read the full guidance document at:

(This story was sourced from