HHS issues voluntary guidelines amid rise of cyberattacks

Dive Brief:

• To combat security threats in the health sector, HHS issued a voluminous report that details ways small, local clinics and large hospital systems alike can reduce their cybersecurity risks. The guidelines are voluntary, so providers will not be required to adopt the practices identified in the report. 
• The four-volume report is the culmination of work by a task force, convened in May 2017, that worked to identify the five most common threats in the industry and 10 ways to prepare against those threats.  
• The five most common threats are email phishing attacks, ransomware attacks, loss or theft of equipment or data, accidental or intentional data loss by an insider and attacks against connected medical devices.

Dive Insight:

Weaknesses that are exploited in a health system’s cybersecurity system can come with a steep price tag. The average cost of a data breach for a healthcare organization is $ 2.2 million, according to the latest report from HHS. In 2016, the U.S. healthcare system lost $ 6.2 billion due to data breaches, the department said. 

The task force’s recommendations stem from a mandate in the Cybersecurity Act of 2015 that called for the industry-led report to mitigate risks. 

As cyberattacks increase, HHS said it’s imperative to improve the security and safety of patients.

“Technologies are vital to the healthcare industry and help provide life-saving treatments and improve patient care. However, these same technologies are vulnerable to myriad attacks from adversaries, ranging from criminals and hacktivists to nation-states,” HHS said in a statement. 

The mindset of employees should be similar to the expectations around hand washing and hygiene, the report states. “Health care organizations must practice good ‘cyber hygiene’ in today’s digital world, including it as a part of daily universal precautions,” it reads.

For each potential threat, the report details recommendations on what organizations can do to lessen their risk. When it comes to data theft or loss, the report encourages providers to maintain a complete and accurate inventory of its current assets. This helps to to mitigate threats in the event of a lost or stolen smart phone, laptop or thumb drive.

Among myriad other suggestions, the report also recommends training staff to spot suspicious emails in an effort to thwart phishing attacks.

A recent Kaspersky Lab report found that a third of healthcare employees said their organizations were targeted by cybercriminals more than once. And a report from JAMA found that more than half of all data breaches are triggered internally.