Barclay Damon
Barclay Damon

Legal Alert

Department of Health and Human Services Releases Cybersecurity Guidance and Resources Tailored to Health Industry

A series of recent guidance documents published by the Department of Health and Human Services (HHS) titled Health Industry Cybersecurity Practices: Managing Threats and Protecting Patients states the cost of data breaches for health care organizations is on the rise, increasing from $380 per breached record in 2017 to $408 per record in 2018. The average cost of a data breach for health care organizations is estimated to be $2.2 million. The guidance identifies common cybersecurity issues health care organizations face and provides cybersecurity practices these organizations can implement to mitigate any identified threats or vulnerabilities.

The guidance, which was created due to a directive in the Cybersecurity Act of 2015, is the product of a collaborative effort by health care and cybersecurity industry experts in both the public and private sectors. The guidance includes four documents, described in more detail as follows:

“Health Industry Cybersecurity Practices: Managing Threats and Protecting Patients” (Main Publication)

This document provides an overview of current cybersecurity threats facing the health care industry and lists the five most common cybersecurity threats as:

  1. Email phishing attacks
  2. Ransomware attacks
  3. Loss or threat of equipment or data
  4. Insider data loss, either accidental or intentional
  5. Attacks against connected medical devices that may affect patient safety

For each threat, the document describes vulnerabilities, impacts, and practices for health care organizations to consider. Providers looking to mitigate these five threats are directed to review the technical volumes, which provide cybersecurity practices appropriate for small (Technical Volume 1) and medium to large (Technical Volume 2) organizations.

“Technical Volume 1: Cybersecurity Practices for Small Health Care Organizations”

This document provides ten cybersecurity practices for small health care organizations, which may not have dedicated information technology (IT) and security staff due to limited resources. Cybersecurity practices include the following, each with sub-practices, to mitigate common cybersecurity threats:

  1. Email protection systems
  2. Endpoint protection systems
  3. Access management
  4. Data protection and loss prevention
  5. Asset management
  6. Network management
  7. Vulnerability management
  8. Incident response
  9. Medical device security
  10. Cybersecurity policies

"Technical Volume 2: Cybersecurity Practices for Medium and Large Health Care Organizations”

This document provides cybersecurity practices for medium and large health care organizations, which may operate in more complex legal, operational, and regulatory environments. The categories of cybersecurity practices covered in Technical Volume 2 are similar but more expansive than those addressed in Technical Volume 1 due to the presence of more interconnected, complex IT systems in these larger organizations.

“Resources and Templates” 

This document provides additional resources to supplement the main publication and technical volumes, including a glossary of common terms and an overview of the cybersecurity practices and how they align with the NIST Cybersecurity Framework. This document also provides a list of free resources and template documents relating to the threats and concepts covered in the guidance documents.

In addition, HHS is in the process of developing a “cybersecurity practices assessments toolkit” to help organizations develop action plans to address security threats using a proposed assessment methodology.

If you have any questions regarding the content of this alert, please contact Bridget C. Steele, associate, at  or 716.858.3704.