Contact Us

HHS Issues Cybersecurity Guidance

HHS Releases Voluntary Cybersecurity Practices for Health Industry

Voluntary Cybersecurity Practices for the Healthcare Industry

Just after the new year, the US Dept of Health and Human Services (HHS) released updated guidance to help healthcare organizations protect themselves against a cyber attack.  This guidance is not only timely, but essential given the continued escalation of attacks against healthcare environments--attacks that are becoming more complex, including DDoS, ransomware, and those against connected devices.   As they say, thieves go where the money is, and the typical healthcare record is worth $100 , 10x more than those across other verticals such as financial records.   The cost of a breach is just as impactful, with a loss of over $400 per record compromised.


     healthcare data breach cost 2018

 Organizations of all sizes, but especially smaller ones that may not have deep IT expertise, will, therefore, benefit from this guidance. 

The overall intent of the guidance is a:

  • Cost-effectively reduce cybersecurity risks for a range of health care organizations;
  • Support the voluntary adoption and implementation of its recommendations; and
  • Ensure, on an ongoing basis that content is actionable, practical, and relevant to health care stakeholders of every size and resource level.

Note that these are great goals for any vertical!

Resulting from the 2015 Cybersecurity Act (CSA), the guidance, Health Industry Cybersecurity Practices:  Managing Threats and Protecting Patients, aligns closely with the NIST CSF, a set of best practices that Cavirin embraces and supports.  The five threats explored in this document are as follows:

  • E-mail phishing attacks
  • Ransomware attacks
  • Loss or theft of equipment or data
  • Insider, accidental or intentional data loss
  • Attacks against connected medical devices that may affect patient safety

The two technical HHS volumes, Cybersecurity Practices for Medium and Large Health Care Organizations, and Cybersecurity Practices for Small Health Care Organizations go into much greater detail and the 
Managing Threats and Protecting Patients Resource and Template document maps the best practices to specific NIST identifiers.  

Best practices for threat mitigation fall into ten areas:

  • E-mail protection systems
  • Endpoint protection systems
  • Access management
  • Data protection and loss prevention
  • Asset management
  • Network management
  • Vulnerability management
  • Incident response
  • Medical device security
  • Cybersecurity policies
 NIST CSF for Healthcare

Check out the Cavirin NIST CSF Playbook, where we outline the mapping between the NIST CSF and healthcare-specific standards and best practices such as HIPAA and IEC/TR 80001-2-2 similar to what the HSS recommends here.  
Cavirin's healthcare solution supports the NIST CSF, HIPAA technical controls as well as the AWS HIPAA Quickstart, and the ability to customize frameworks based on specific business requirements including the CIA (Criticality, Impact, Availability) for specific controls so that healthcare organizations can automate compliance to achieve and maintain their golden cybersecurity posture just as Pacific Dental Services, Cepheid, and a large national healthcare partner have done.



© 2019 Cavirin Systems, Inc. All rights reserved.