Earlier this year the Department of Health and Human Services issued a report that in part detailed practices hospitals can use to avoid cyberattacks against the health care industry. The genesis of the report was the Cybersecurity Act of 2015 (CSA) and more specifically, section 405(d). That section calls for “aligning health care industry security approaches.” The forward to the report provides that “industry and government came together under the auspices of the 405(d) task group…focused on building a set of voluntary, consensus-based principles to ensure cybersecurity in the health care and public health sector.”
The report describes five of the most current and common cybersecurity threats to health care organizations:
1. E-mail phishing attack;
2. Ransomware attack;
3. Loss or theft of equipment or data;
4. Insider, accidental or intentional data loss; and
5. Attacks against connected medical devices that may affect patient safety.
For each threat, the report lists vulnerabilities, potential impacts, and practices to consider to respond to the threats. The practices to consider provide for a number of different practices that could be followed by both manufacturers and healthcare providers alike. In fact, a number of the practices directly call for manufacturers and healthcare providers to work together to maintain product security on an ongoing basis. The practices to consider outlined in the report may be utilized by plaintiffs’ lawyers as standards of care in lawsuits against medical device manufactures and healthcare providers alike, and may affect how manufacturers and healthcare providers protect against and ultimately defend claims.