HIPAA Cybersecurity Best Practices for Healthcare Organizations
The U.S. Department of Health and Human Services (HHS) has issued new HIPAA cybersecurity guidelines for healthcare organizations to manage cyber threats and protect patients. These are particularly important for telebehavioral health professionals because of the security risks that telehealth platforms are exposed to on a daily basis.
The U.S. healthcare industry lost $6.2 billion in 2016 because of data breaches, with the average cost of a data breach being $2.2 million for a healthcare organization. Additionally, HIPAA cybersecurity incidents can lead to largescale fines and government investigations. Four out of five physicians in the United States have been the victim of cyberattacks at some level.
“Cybersecurity is everyone’s responsibility,” Janet Vogel, HHS Acting Chief Information Security Officer, said in a statement. “It is the responsibility of every organization working in healthcare and public health. In all of our efforts, we must recognize and leverage the value of partnerships among government and industry stakeholders to tackle the shared problems collaboratively.”
Technology is beneficial and even essential to care for patients in a telebehavioral health setting, but those technologies don’t come without risk. If there isn’t proper risk management in place, there is potential for disruption to healthcare operations, costly data breaches, harm to patients, HIPAA cybersecurity incidents, and permanent damage to your hardfought reputation.
The HHS guidance in question, Health Industry Cybersecurity Practices (HICP): Managing Threads and Protecting Patients,was developed by industry professionals in response to a mandate set forth by the Cybersecurity Act of 2015 Section 405(d). HICP aims to reduce healthcare cybersecurity risks in a cost-effective way by providing practical guidelines for healthcare organizations to follow.
More than 150 cybersecurity and healthcare experts came together to develop the guidance more than two years ago. Among these developers were cybersecurity and healthcare experts from both the industry and the government under the Healthcare and Public Health (HPH) Sector Critical Infrastructure Security and Resilience Public-Private Partnership. With this new guidance, HHS demonstrates a renewed commitment to HIPAA cybersecurity in the months and years ahead.
“The healthcare industry is truly a varied digital ecosystem,” Erik Decker, industry co-lead and Chief Information Security and Privacy Officer for the University of Chicago Medicine, said. “We heard loud and clear through this process that providers need actionable and practical advice, tailored to their needs, to manage modern cyber threats. That is exactly what this resource delivers.”
There are three main goals of the guidance and best practices:
- Minimize cybersecurity risks for healthcare organizations in a cost-effective manner;
- Promote the voluntary implementation of the Cybersecurity Act recommendations, and;
- Provide relevant and easy-to-follow cybersecurity advice for healthcare organizations of varying sizes.
The guidance and best practice serves to aid healthcare organizations in dealing with the biggest cybersecurity threats including email phishing attacks, ransomware attacks, loss/theft of equipment and data, accidental and intentional insider data breaches, and medical device attacks.
In addition to HICP, there are two technical volumes that lay out HIPAA cybersecurity practices for healthcare organizations based on size. Volume 1 tailors to small healthcare organizations like clinics while Volume 2 is for medium-to-large health systems. The volumes contain a “common set of voluntary, consensus-based, and industry-led guidelines, best practices, methodologies, procedures, and processes” to reduce cybersecurity risks for the healthcare industry in a cost-effective manner.
The technical volumes detail ten cybersecurity practices in the following areas:
E-mail protection systems
Endpoint protection systems
Data protection and loss prevention
Medical device security
HHS will continue to work with industry stakeholders to promote efforts to raise awareness of cybersecurity threats and to implement the guidance across the healthcare industry.