HIPAA Cybersecurity

HIPAA Cybersecurity Best Practices for Healthcare Organizations


HIPAA CybersecurityThe U.S. Department of Health and Human Services (HHS) has issued new cybersecurity guidelines for healthcare organizations to manage cyber threats and protect patients. These are particularly important for telebehavioral health professionals because of the security risks that telehealth platforms are exposed to on a daily basis.

The U.S. healthcare industry lost $6.2 billion in 2016 because of data breaches, with the average cost of a data breach being $2.2 million for a healthcare organization. Additionally, HIPAA cybersecurity incidents can lead to largescale fines and government investigations. Four out of five physicians in the United States have been the victim of cyberattacks at some level.

“Cybersecurity is everyone’s responsibility,” Janet Vogel, HHS Acting Chief Information Security Officer, said in a statement. “It is the responsibility of every organization working in healthcare and public health. In all of our efforts, we must recognize and leverage the value of partnerships among government and industry stakeholders to tackle the shared problems collaboratively.”

Technology is beneficial and even essential to care for patients in a telebehavioral health setting, but those technologies don’t come without risk. If there isn’t proper risk management in place, there is potential for disruption to healthcare operations, costly data breaches, harm to patients, HIPAA cybersecurity incidents, and permanent damage to your hardfought reputation.

The HHS guidance in question, Health Industry Cybersecurity Practices (HICP): Managing Threads and Protecting Patients,was developed by industry professionals in response to a mandate set forth by the Cybersecurity Act of 2015 Section 405(d). HICP aims to reduce healthcare cybersecurity risks in a cost-effective way by providing practical guidelines for healthcare organizations to follow.

More than 150 cybersecurity and healthcare experts came together to develop the guidance more than two years ago. Among these developers were cybersecurity and healthcare experts from both the industry and the government under the Healthcare and Public Health (HPH) Sector Critical Infrastructure Security and Resilience Public-Private Partnership. With this new guidance, HHS demonstrates a renewed commitment to HIPAA cybersecurity in the months and years ahead.

“The healthcare industry is truly a varied digital ecosystem,” Erik Decker, industry co-lead and Chief Information Security and Privacy Officer for the University of Chicago Medicine, said. “We heard loud and clear through this process that providers need actionable and practical advice, tailored to their needs, to manage modern cyber threats. That is exactly what this resource delivers.”

There are three main goals of the guidance and best practices:

  • Minimize cybersecurity risks for healthcare organizations in a cost-effective manner;
  • Promote the voluntary implementation of the Cybersecurity Act recommendations, and;
  • Provide relevant and easy-to-follow cybersecurity advice for healthcare organizations of varying sizes.

The guidance and best practice serves to aid healthcare organizations in dealing with the biggest cybersecurity threats including email phishing attacks, ransomware attacks, loss/theft of equipment and data, accidental and intentional insider data breaches, and medical device attacks.

In addition to HICP, there are two technical volumes that lay out cybersecurity practices for healthcare organizations based on size. Volume 1 tailors to small healthcare organizations like clinics while Volume 2 is for medium-to-large health systems. The volumes contain a “common set of voluntary, consensus-based, and industry-led guidelines, best practices, methodologies, procedures, and processes” to reduce cybersecurity risks for the healthcare industry in a cost-effective manner.

The technical volumes detail ten cybersecurity practices in the following areas:
            E-mail protection systems
            Endpoint protection systems
            Access management
            Data protection and loss prevention
            Asset management
            Network management
            Vulnerability management
            Incident response
            Medical device security
            Cybersecurity policies

HHS will continue to work with industry stakeholders to promote efforts to raise awareness of cybersecurity threats and to implement the guidance across the healthcare industry.

HIPAA Resources

If you need assistance with HIPAA compliance, consider working with our TBHI affiliate, the HIPAA Compliancy Group. (When you purchase services from them, TBHI will be paid a small commission.) They can help you support your HIPAA compliance with The Guard®. The Guard is a web-based HIPAA compliance solution, built by former auditors to help simplify compliance. The Guard is built to address the HIPAA regulations, including guided walkthroughs of HIPAA Risk Assessments. With The Guard, you can focus on running your practice while keeping your patients’ data protected and secure.Compliancy Group’s team of expert Compliance Coaches® can also field questions and guide you through the implementation process, taking the stress out of managing compliance. Find out more about how Compliancy Group and the HIPAA Seal of Compliance® can help simplify your HIPAA compliance today!

HIPAA Webinars:

Cyber Security


Cyber Security: Top 5 Things You Can Do Tomorrow Morning to Protect Your Practice and Your Clients/Patients

Ransomware hackers attack smaller healthcare practices daily, creating serious data breaches and HIPAA violations. Are you and your clients/patients vulnerable, too?


Social Media and HIPAA Compliance


Social Media and HIPAA Compliance: Protecting Your Practice in the Digital Age

Managing social media use and HIPAA compliance can lead to some of the most common misunderstandings faced by healthcare providers. Improperly trained employees can expose your organization to HIPAA violations and costly fines!


Disclaimer: The views and opinions expressed in the article and on this blog post are those of the authors. These do not necessarily reflect the views, opinions, and position of the Telebehavioral Health Institute (TBHI). Any content written by the authors are their opinion and are not intended to malign any organization, company or individuals.



Rate this post!

(3 raters, 15 scores, average: 5.00 out of 5)

Leave a Reply

Name and email are required. Your email address will not be published.

This site uses Akismet to reduce spam. Learn how your comment data is processed.