HHS cybersecurity guidance ramps up pressure to protect data

New cybersecurity best practices from the Department of Health and Human Services are more than helpful suggestions for provider organizations—they set security practices that are likely to become the de facto standard industry wide.

The new guidance, available here, should not be ignored, says Bruce Armon, a health law partner in Philadelphia-based Saul Ewing Arnstein & Lehr. The federal agency expects its guidance to be followed, he says.

HHS wants to see adequate cybersecurity technology and processes, personnel trained in cyber awareness and additional appropriate controls, emphasizes Marcus Christian, a partner in the Mayer Brown law firm in Washington.

“This is not just an IT problem, as the legal, privacy and HR departments will all be involved. Regulators are being more actively involved in high-level standards and particular guidance, and they want to see a formal security program with a customized incident response plan,” Christian says. “Failure to implement will lead to negative consequences in the future if appropriate controls are not put in place.”

Christian also cautions that state attorneys’ general and other regulators also are becoming more active in overseeing the health industry’s progress toward improved data security. “The HHS publication is intended to highlight the need to improve. This year, HHS will look at how well the industry is taking security seriously.”

Dedicating resources to maintain oversight of security is a challenge for all healthcare entities, particularly smaller ones. Smaller organizations are particularly at risk, because hackers often focus on these practices looking for easy areas of access to their networks because a practice or small hospital likely will not have sophisticated cyber expertise, adds Karilynn Bayus, vice chair of the healthcare practice at the law firm.

For the most part, the HHS best practices are not costly measures to implement, and the practices are especially helpful for organizations that don’t know where to start, according to Bayus.

“You have to commit to examining and understanding where data is and the threats, vulnerabilities and risk levels,” she notes. “A thoughtful plan needs to be put in place.”

HHS HQ

Also See: 8 ways IOT devices could affect cybersecurity and privacy risks

“Take a risk-based approach and examine the biggest threats and the potential for impact on the data, which could affect patient care,” she advises. If the organization doesn’t have a cyber-awareness culture, it must develop one, regardless of size, attorneys warn.

Often, a cyber attack will come in the form of ransomware, which can happen anytime and anywhere, Armon says. If a provider cannot fight off an attack, its ability to pay a ransom depends on the scope of the attack and the level of insurance that the organization has. “But first, make sure this is a real threat and the information systems are actually handicapped, and then contact law enforcement officials,” he counsels.

“A ransomware attack must be treated as a potential data breach and as a security incident,” Bayus adds. “You need to understand what happened to the data. Was it deleted or manipulated?”

Regardless of the size and sophistication of an organization, certain tasks should be done regularly to ensure the practice or hospital is ready at all times if an attack be launched. These include regular reminders from IT or security leaders not to click on emails that look suspicious, not working with protected health information in public areas such as a coffee shop, and frequently conducting drills on employees and executives to see if they are clicking on rogue data links.

These drills should continue over time, Armon cautions. “Every institution, regardless of size, will always be playing catchup.”

Armon advises that even if the organization does a good job educating the workforce on cyber security, some employees may not expect the unexpected when an incident occurs and that’s okay because it will be a teachable moment.

Most importantly, he adds, the organization must emphasize that employees cannot assume the information technology department is taking care of data security—everyone must be involved in protecting the data.

For reprint and licensing requests for this article, click here.