New Cybersecurity Threat Identification and Prevention Guidance from HHS

HIPAA

As a result of ongoing efforts under the Cybersecurity Act of 2015, the Department of Health and Human Services (HHS) has partnered with public and private sector entities to develop guidance for healthcare entities seeking to prevent/address cybersecurity incidents.  In December 2018, HHS issued Health Industry Cybersecurity Practices: Managing Threats and Protecting Patients which provides education regarding cybersecurity issues facing healthcare providers as well as suggested best practices to address them.

In this guidance document HHS describes current cybersecurity threats to health care entities, including:

  • Email phishing attacks
  • Ransomware
  • Loss or theft of equipment/data
  • Insider accidental/intentional data loss
  • Attacks against connected medical devices

HHS provides tips for assessing a health care entity's vulnerability to these threats as well as recommended actions to take to prevent such attacks from succeeding.  The guidance document includes descriptions of specific incidents which brought hospitals and smaller practices to a halt.  HHS cautions that smaller health care entities should not assume they will not be targeted and cites outside studies which found that 58% of malware attack victims are small businesses and that 60% of small businesses go out of business within six months of attacks.

Most health care entities are required by the Health Insurance Portability and Accountability Act (HIPAA) to have in place policies and procedures to protect electronic protected health information (ePHI) and prevent cybersecurity incidents.  Among other things, HIPAA requires training of a healthcare entity's workforce regarding cybersecurity incident prevention.  This guidance would be a very useful tool for anyone creating/updating their HIPAA training program.  This guidance can also help providers looking for more effective ways to protect the security of patient PHI and to meet HIPAA Privacy and Security Rule requirements.

Ruth Griggs is a member of our Healthcare Group as well as the Cybersecurity & Technology Team.  Her practice focuses on the defense of medical professionals, HIPAA and other health care compliance matters and cybersecurity issues, particularly those associated with health information.  Should you have questions or need assistance in addressing cybersecurity concerns, Sands Anderson's Cybersecurity and Technology Team stands ready to help. 

Subscribe for Updates

Subscribe to receive useful articles, legal updates and firm news to keep you informed and up-to-date on important issues and trends.

Sign Up

Media Contact

Rachel Lufkin
804.783.6799

Email Rachel 

Jump to Page

Sands Anderson Cookie Preference Center

Your Privacy

Necessary cookies enable core functionality such as security, network management, and accessibility. You may disable these by changing your browser settings, but this may affect how the website functions.

Strictly Necessary Cookies

Always Active

Necessary cookies enable core functionality such as security, network management, and accessibility. These cookies may only be disabled by changing your browser settings, but this may affect how the website functions.

Functional Cookies

Always Active

Some functions of the site require remembering user choices, for example your cookie preference, or keyword search highlighting. These do not store any personal information.

Form Submissions

Always Active

When submitting your data, for example on a contact form or event registration, a cookie might be used to monitor the state of your submission across pages.

Analytical Cookies

Analytical cookies help us improve our website by collecting and reporting information on its usage. We access and process information from these cookies at an aggregate level.

Powered by Firmseek