April 29, 2019

By now, the specter of privacy and security breaches generally, and cyberattacks specifically, should be well ingrained into the minds of healthcare professionals.  Ransomware, phishing and other email attacks, theft and hacking of medical devices, and other perils, along with the catastrophic harm they may cause to healthcare organizations and facilities, their patients and their patients’ medical and other personal information, increase in frequency and intensity seemingly on a daily basis.  These problems are arguably exacerbated by regulatory frameworks and practices that struggle to keep pace.

 Against this background, the U.S. Department of Health and Human Services (“HHS”) recently published a document titled Health Industry Cybersecurity Practices: Managing Threats and Protecting Patients (the “HICP”).[1]  The HICP was developed by a 150 member industry task force organized pursuant to Section 405(d) of the federal Cybersecurity Act of 2015 (the “Task Force”).[2] 

The HICP targets 5 specific cybersecurity threats the Task Force deems to be the most prevalent in the healthcare industry and provides 10 specific cybersecurity practices healthcare organizations may adopt to mitigate risks associated those threats.  The specific cybersecurity threats and practices are as follows:

Cybersecurity Threats

1.   Email phishing attacks
2.   Ransomware attacks
3.   Loss of theft of equipment or data
4.  Accidental and intentional insider threats
5.  Attacks against connected devices

Cybersecurity Practices

1.  Email protection systems
2.  Endpoint protection systems
3.  Access management
4.  Data protection and loss prevention
5.  Asset management
6.  Network management
7.  Vulnerability management
8.  Incident response
9.  Medical device security
10.  Cybersecurity policies[3]

            The HICP comprises four volumes: the introductory “Main Document;” Technical Volume 1: Cybersecurity Practices for Small Organizations; Technical Volume 2: Cybersecurity Practices for Medium and Large Organizations and a final volume titled  “Resources and Templates.”  As the titles suggest, Technical Volume 1 and Technical Volume 2 provide guidance tailored to  “Small Health Care Organizations” (including physician practices with 10 or fewer physicians, acute/post-acute facilities with 25 or fewer providers and hospitals with 50 or fewer beds); “Medium Health Care Organizations” (including physician practices with 11-50 physicians; acute/post-acute facilities with 26-500 providers; and hospitals with 51-299 beds)  and “Large Health Care Organizations” (including larger physician practices, hospitals and facilities).  The HICP includes a different set of “sub-practices” for each type of organization (19 for “Small” organizations; 36 for “Medium” organizations and 34 for “Large” organizations) (such sub-practices, together with the 10 above-specified cybersecurity practices, the “Cybersecurity Practices”), to reflect that healthcare organizations vary widely in size, complexity, capabilities and available resources and to facilitate effective implementation of the Cybersecurity Practices taking into account each entity type’s cybersecurity-related attributes, strengths and vulnerabilities.[4] Consistent with HHS’s historic approach to information security, the HICP links the Cybersecurity Practices to corresponding safeguards recommended in the NIST Cybersecurity Framework.[5] 

The Task Force emphasizes that not all Cybersecurity Practices will apply in the same manner (if at all) to different healthcare organizations and that, in any event, the HICP is not intended to serve as a standard for determining legal compliance, including in respect to the Health Insurance Portability and Accountability Act (“HIPAA”) and/or State-specific healthcare privacy and security laws and regulations.  Rather, the Task Force explains that the HICP is intended to (i) cost-effectively reduce cybersecurity risks for a range of health care organizations; (ii) support the voluntary adoption and implementation of its recommendations; and (iii) ensure, on an ongoing basis, that its content is actionable, practical and relevant to health care stakeholders of every size and resource level.[6]

Notwithstanding the HICP’s stated purposes, however, it remains to be seen whether and how the HICP will be utilized and interpreted by regulators, judges and others in regard to compliance and enforcement matters.  For example, as individuals affected (or potentially affected) by data breaches continue to seek legal action against healthcare and other defendants, it remains to be seen whether judges will look to the HICP as a basis for determining liability in regard to negligence other claims for damages.  Despite this lack of clarity, we strongly recommend healthcare organizations take note of the HICP and measure their existing security safeguards against the appropriate Cybersecurity Practices (i.e., for “small,” “medium” or “large” organizations, as the case may be).  Healthcare organizations should also examine and take advantage of the “Resources and Templates” volume in the HICP that includes, among other things, a sample model for prioritizing implementation of Cybersecurity Practices based on risk criticality,[7] as well as an extensive list of additional cybersecurity resources and information[8] and a number of template documents, including sample policies and procedures and a sample form of privacy and security report, healthcare organizations may incorporate into their security practices. 

PLEASE BE ADVISED: This Memorandum is intended only to provide an overview of the matters addressed herein and does not constitute legal advice.  If you have questions regarding a specific arrangement with a physician or other health care provider, please seek appropriate legal counsel. 

     [1] U.S. Department of Health and Human Services and Healthcare & Public Health Sector Coordinating Councils, a Public Private Partnership, Healthcare Industry Cybersecurity Practices: Managing Threats and Protecting Patients, available at https://www.phe.gov/Preparedness/planning/405d/Pages/hic-practices.aspx (last visited April 29, 2019) (the “HICP”).

[2] HICP, at page 3.

[3]See HCIP, Main Document, The Publication: Health Industry Cybersecurity Practices, at page 6.

[4] See id., Foreword from Co-Leads, at page 4.

[5] See National Institute of Standards and Technology (NIST), Framework Documents, available at https://www.nist.gov/cyberframework/framework (last visited April 29, 2019).

[6] See id.

[7] See HCIP, Resources and Templates, Appendix E-1: Enumerate and Prioritize Threats, at page 39.

[8] See HCIP, Resources and Templates, Appendix F: Resources, at page 43.