Over a year of collaboration between the Department of Health and Human Services (HHS) and industry partners has culminated in the publication of a cybersecurity guide for medical providers of all sizes. HHS describes it as “a set of voluntary, consensus-based principles and practices to improve cybersecurity in the health sector,” that looks to “raise the cybersecurity floor” across the country. Although the guide emphasizes its wide applicability, much of the discussion appears directed at small and mid-sized providers. For example, HHS highlights a recent study that found healthcare cyberattacks tend to focus on smaller targets, while also citing to a rural hospital that was forced to replace its entire network following a ransomware attack.
The good news for this apparent target audience is that, at least for now, the guide remains voluntary. However, small and mid-sized providers should recognize its importance and take the necessary steps to abide by its recommendations. In light of recent rulings in states such as Pennsylvania, where all entities that possess data are subject to negligence claims for the loss of such data, courts will likely use guides such as this one in considering the standard of care. Furthermore, HHS was careful to create processes and procedures which are sensitive to the cost limitations of smaller organizations. The guide itself is fairly concise, and consists primarily of training and informational resources. Many cyberattacks begin with human error, such as through employees clicking on malicious links, and so HHS offers step-by-step training that can be implemented at minimal cost. It also suggests engaging with software and hardware providers, who are typically more than happy to provide free cybersecurity information about their systems.
While HHS emphasizes that its recommendations are still mere suggestions, small and mid-sized providers should take advantage of a very practical and informative guide (a guide for medium to large health care organizations can be found here). Cyberattacks are being perpetrated by increasingly less sophisticated hackers who are able to quickly target a great number of small targets in an economy of volume. Despite the relatively small size of the attacks, its effect on an organization can be devastating. Data loss can be the least of a provider’s concerns, as hackers can also manipulate data, control medical devices, and permanently cripple an entire network. Taking the HHS’s suggested steps can greatly reduce any organization’s vulnerabilities and prepare it for the increasingly likely event that a data breach occurs.