Health Industry Cybersecurity Practices: Managing Threats and Protecting Patients

HHS convened the Task Group in May 2017 to plan, develop, and draft this guidance document. To ensure a successful outcome and a collaborative public–private development process, HHS engaged a diverse group of health care and cybersecurity experts from the public and private sectors. Participation was open and voluntary. HHS collaborated with the HPH Sector Government Coordinating Council, the HPH Sector Coordinating Council, the Department of Homeland Security (DHS), and the National Institute of Standards and Technology (NIST).ii ii Participants included subject matter experts with backgrounds and experience in the following roles: chief executive officer; chief information security officer (CISO) and/or IT security professional; chief information officer; chief risk officer or other risk manager; office of technology leader or hospital administrator; doctor, nurse, and other health care practitioners The Task Group’s approach to the guidance document:

1. Examines current cybersecurity threats affecting the HPH sector;
2. Identifies specific weaknesses that make organizations more vulnerable to the threats; and
3. Provides selected practices that cybersecurity experts rank as the most effective to mitigate the threats.

This document provides best practices regarding risks such as:

• E-mail phishing attacks
• Ransomware attacks
• Loss or theft of equipment or data
• Insider, accidental or intentional data loss
• Attacks against connected medical devices that may affect patient safety

The full Health and Human Services document can be downloaded below.