Cybersecurity Guidance Issued by HHS

  • By
  • In CMS
  • January 21, 2019
  • Comments Off on Cybersecurity Guidance Issued by HHS
Cybersecurity Guidance Issued by HHS

 The Department of Health and Human Services (HHS) have issued new guidance  for healthcare organizations to manage cyberattacks.  This is the end result of the 2015 Cybersecurity Act to align the healthcare security practices.

Cybersecurity Guidance Starter Kit

HHS is marketing the guidance as a starter kit for both those who are IT and non-IT professionals so that healthcare organizations can improve their baseline cybersecurity.  The guidelines are meant to give “practical, understandable, implementable, industry-led, and consensus-based voluntary cybersecurity guidelines to local clinics, regional hospital systems, and large hospital systems”, according to HHS Deputy Secretary Eric Hargan.
The most common attack entre used to compromise healthcare organizations are the following:

  • Email
  • Phishing
  • Ransomware
  • Data breaches
  • Insider threats
  • Targeted attacks against connected medical devices

These were the focus of the guidance, which provided information on how to first identify and how to mitigate each type of threat.
The guidance issued supplements relative to the organization size since the size is one of the most critical variables. The supplements are specific to small, medium and large healthcare organizations.

Cybersecurity Hard for Small Practices

Smaller practices usually have fewer to no dedicated IT and cybersecurity staff and operate in a less complex IT environment.  While medium and large organizations tend to have more IT resources available and are much larger targets while being more dispersed geographically, share information with partners and tend to have in more complex IT environments which create bigger targets for hackers.
The guidance is voluntary for healthcare organizations, no matter the size.  The Cybersecurity Framework, which was developed by the National Institute for Standards and Technology, was a resource for the guidance.
The healthcare industry, which still has no cybersecurity standards and has a prefoliation of internet connected devices, and anyone who has had a hard drive to digitize as much information as possible has caused this sector to be a ripe target for incursions by hackers.  Also, the increasing value of the health information, without paper back-ups, makes recovering from a large data breach exceedingly expensive.  A study was performed in 2018 where they found that healthcare organizations lose about $408 for every document lost or stolen in a data breach.  This is exceedingly more than in any other sector depending  on electronic data, such as financial services, the second most expensive sector, which costs $206 per document lost or stolen in a data breach.
Congress is looking at bills which will make cybersecurity defenses mandatory.  Keep your ears to the ground and stay tuned as to what will be expected of you and your organization.  In the meantime, it is not a bad idea to explore the guidance set forth by the HHS and develop a cybersecurity plan for your organization.

Barbara Cobuzzi

About Has 99 Posts

Barbara J. Cobuzzi, MBA, CPC, CENTC, COC, CPC-P, CPC-I, CPCO, AAPC Fellow, is an independent consultant, CRN Healthcare Solution, Tinton Falls, N.J. She is consulting editor for Otolaryngology Coding Alert and has spoken, taught, and consulted widely on coding, reimbursement, compliance, and healthcare-related topics nationally. Barbara also provides litigation support as an expert witness for providers and payers. Cobuzzi is a member of the Monmouth, N.J., AAPC local chapter.

No Responses to “Cybersecurity Guidance Issued by HHS”

  1. Jamie Claypool says:

    Hi Barbara:
    Thanks for your article- very interesting topic.