The HHS cybersecurity report that will help you protect your clients’ information

Published on February 21, 2019

If you’re running a small medical practice and have felt stumped when it comes to improving your security to avoid cyberattacks or data breaches, the U.S. Department of Health and Human Services (HHS) recently published a useful publication that can help strengthen your practice’s security, and help you engage in productive conversations with your IT team or outside IT vendors. Even if you aren't in the healthcare field, this report will help you better understand and protect yourself from cybersecurity threats.

Health Industry Cybersecurity Practices (HICP): Managing Threats and Protecting Patients, published under the auspices of the Cybersecurity Act of 2015 (CSA), Section 405(d), consists of a main document, two technical volumes, and a resources and templates volume. For anyone wanting to gain an understanding of cybersecurity issues so they can make the best decisions for their practice, this report is a terrific starting point.

In today’s post, we’ll highlight the key points of each part of the report so you can determine if a deeper dive would benefit your practice.

The main document - understanding cybersecurity threats

The main document addresses the need for the report, explains why cybersecurity is an issue that must be taken seriously and systematically addressed, and identifies cybersecurity threats your practice may face right now. The report also aims to answer some key questions:

  • “Why should you worry about cybersecurity and take action now?”
  • “How does this publication help me?”
  • “Can it happen to me?”
  • “Where do I fit?”

The report does a good job of answering these and more complex questions in simple layman’s terms that are easy to follow and apply.

The main document also introduces five threats healthcare practices of any size could face:

  • Email phishing attack
  • Ransomware attack
  • Loss or theft of equipment or data
  • Insider, accidental, or intentional data loss
  • Attacks against connected medical devices that may affect patient safety

These same threats appear as example cases in the two technical volumes that follow.

The document goes on to explain cybersecurity concepts that are often misunderstood. For example, do you know how a “threat” differs from a “vulnerability”? Or how they combine to create an “impact”?

The document provides an analysis of the vulnerabilities surrounding each of the five threats, the impacts the threats could have on a practice, and cybersecurity best practices to consider to “address vulnerabilities and limit the damage.”


Medical professionals help patients identify probable health risks, for example based on family history of medical conditions. They also help patients protect themselves against those risks by making appropriate lifestyle changes and by implementing regimens to detect any health conditions that might arise… Similarly, this document identifies current cybersecurity threats in the healthcare industry and provides cybersecurity practice recommendations.


The technical volumes - 10 cybersecurity practices

The first technical volume lays out 10 cybersecurity practices that can reduce the impact of the threats introduced in the main document. The practices included in this volume were developed specifically for small healthcare organizations. The practices in the next volume are similar but tailored to reflect the requirements of medium and large organizations. These are the ten practices for small organizations:

  1. Email protection systems
  2. Endpoint protection systems
  3. Access management
  4. Data protection and loss prevention
  5. Asset management
  6. Network management
  7. Vulnerability management
  8. Incident response
  9. Medical device security
  10. Cybersecurity policies

If this all seems a little intimidating, that’s why this report was compiled. The technical volumes walk you through the steps to implement each practice, including everything from basic safe email habits to conducting an inventory of your IT assets.

These are practices your IT team may already be using. The purpose of the report is to give you a solid overview of what needs to be accomplished so you can effectively discuss the practices with your team.

The second technical volume for medium and large organizations is intended as a guide for IT professionals, although it too is a valuable resource for healthcare practitioners.

Appendices - glossary, threat assessment roadmap, templates, and more

The last section of the report consists of several appendices including a glossary of terms (Appendix A), numerous free resources (Appendix F), and several templates (Appendix G) that you can use as starting points for developing your policy documents.

This final volume is a useful tool for applying the information in the previous three volumes. Appendix E, for example, provides a step-by-step process for evaluating the cybersecurity practices in the technical volumes and assessing your organization so you can prioritize where you need to focus your security efforts.


Just as health care professionals must wash their hands before caring for patients, health care organizations must practice good “cyber hygiene” in today’s digital world, including it as a part of daily universal precautions.

HICP


According to the Cybersecurity Act of 2015 (CSA) website, a Cybersecurity Practices Assessments Toolkit that will help “organizations prioritize their cyber threats and develop their own action plans” is still under development. You can request an advance copy at CISA405d@hhs.gov.

You can always learn more about cybersecurity

As the online world continues to evolve, there will always be something new to learn about cybersecurity. There are numerous tools provided by many knowledgeable organizations that can help you through the process of ensuring your organization is secure and your clients’ personal information is protected. 

We post regularly about security issues on our blog and have included a few of these posts here:

Guest post: secure online communication
How to engage employees in cybersecurity

Health Industry Cybersecurity Practices (HICP): Managing Threats and Protecting Patients is another resource that will provide you with a strong knowledge foundation so you can either personally participate in your organization’s security efforts, or help direct your IT professionals in a way that makes the most sense for your practice.

Are you looking for a secure, HIPAA-compliant email service to help boost your practice’s cybersecurity?

Sign up for Hushmail for Healthcare today.


The recently published HHS report, Health Industry Cybersecurity Practices (HICP): Managing Threats and Protecting Patients, brings clarity to the topic of cybersecurity for healthcare organizations of all sizes. The report gives healthcare practice managers a broad view of what cybersecurity is, why cybersecurity practices are necessary, suggests 10 specific practices that can be implemented now, and provides numerous resources to help in implementation.