Jan 03 2019

HHS Unveils Voluntary Healthcare Cybersecurity Guidance

The four-volume document aims to offer practical advice to healthcare organizations on how to shore up defenses.

In the last few days of 2018, the Health and Human Services Department released a new voluntary cybersecurity guidance for healthcare organizations. The publication, entitled “Health Industry Cybersecurity Practices (HICP): Managing Threats and Protecting Patients,” aims to "provide voluntary cybersecurity practices to healthcare organizations of all types and sizes, ranging from local clinics to large hospital systems," according to a press release from HHS

The document, released on Dec. 28, fulfills a mandate set out by the Cybersecurity Act of 2015, which called for industry and government to develop guidelines that could "cost-effectively reduce cybersecurity risks for the healthcare industry," the press release notes. The guidelines are a result of a two-year effort that aims to arm healthcare organizations with the knowledge necessary to protect life-saving technologies and patient data from intrusion or attack.

“The healthcare industry is truly a varied digital ecosystem. We heard loud and clear through this process that providers need actionable and practical advice, tailored to their needs, to manage modern cyber threats," said Erik Decker, industry co-lead and Chief Information Security and Privacy Officer for the University of Chicago Medicine in the HHS press release. "That is exactly what this resource delivers; recommendations stratified by the size of the organization, written for both the clinician as well as the IT subject matter expert.”