HHS, industry leaders release voluntary cybersecurity practices for healthcare

Amid widespread concerns about hacking threats and privacy, HHS and industry leaders released voluntary cybersecurity practices to help protect healthcare organizations from threats and keep patient information safe.

The voluntary practices come several months after cybersecurity and hacking threats was named the top technology hazard healthcare organizations will face in 2019. Additionally, in a recent study, researchers used machine learning to reidentify the health data of some children and adults, signaling a need for legislation that better protects and ensures the privacy of people’s health data.

“Cybersecurity is everyone’s responsibility," Janet Vogel, HHS acting chief information security officer, said in a prepared statement. "It is the responsibility of every organization working in healthcare and public health. In all of our efforts, we must recognize and leverage the value of partnerships among government and industry stakeholders to tackle the shared problems collaboratively."

The cybersecurity practices explore the most relevant and current threats to the healthcare industry, call on industry stakeholders to take protective and preventive cybersecurity measures and provide resources for organizations to assess their own cybersecurity posture and develop policies and procedures. The document also includes two technical volumes geared toward IT and IT security professionals that focus on cybersecurity practices for small, medium and large healthcare organizations.

The cybersecurity practices were an industry-led effort in response to a mandate that required the development of practical cybersecurity guidelines to reduce risks for the healthcare industry. The two-year effort brought together more than 150 cybersecurity and healthcare experts from the industry and government, according to HHS.

“The healthcare industry is truly a varied digital ecosystem," Erik Decker, industry co-lead and chief information security and privacy officer for the University of Chicago Medicine, said in a prepared statement. 'We heard loud and clear through this process that providers need actionable and practical advice, tailored to their needs, to manage modern cyber threats. That is exactly what this resource delivers; recommendations stratified by the size of the organization, written for both the clinician as well as the IT subject matter expert.”