Get updates by email

Select Specific Blog Updates

Paul Zimmerman

Photo of M&R Blog

loops7 ©

Cybersecurity in Health Care: The DHHS Has Spoken

We live in an age of cyber threats and crime, and no industry is immune to data breach. Unfortunately, based on the volume of personal information collected and processed in order to provide health care and insurance benefits, the medical profession is one of those most frequently targeted by cybercriminals. And while the HIPPA (Health Insurance Portability and Accountability Act of 1996) Security Rule requires appropriate safeguards to ensure the confidentiality, integrity and security of individuals’ electronic personal health information, some health care providers struggle to implement and comply with its requirements. The Department of Health and Human Services has partnered with leaders in the health care space to help with that.

With its recent release of voluntary health care cybersecurity guidelines, DHHS seeks to assist health care providers – small, medium and large – assess their threats and strengthen their cybersecurity readiness in order to reduce the risk of data breaches and protect against interruption of health care services (such as in the case of ransomware attacks capable of disabling entire facilities and networks). Published on December 28, 2018, the DHHS’s four-volume “Health Industry Practices: Managing and Protecting Patients” – developed by the 405(d) Task Force in response to a mandate in the Cybersecurity Act of 2015 – is a best practices guide designed to provide the tools and guidance to help all health care organizations tamp down their cybersecurity vulnerabilities in a cost-effective way. The recommendations, as drafted, are industry-led and consensus driven.

The publication dives into health care’s cybersecurity landscape and imminent threat scenarios (e.g., email phishing attacks, ransomware attacks, loss/theft of equipment and data, accidental and intentional insider data breaches, and medical device attacks that could affect patient safety) and identifies particular susceptibilities. The publication also contains two separate technical volumes – one for small providers and a second for medium to large providers – each tailored to the threats, controls and recommended practices that can serve to mitigate the risks outlined, including:

  • E-mail protection systems
  • Endpoint protection systems
  • Access management
  • Data protection and loss prevention
  • Asset management
  • Network management
  • Vulnerability management
  • Incident response
  • Medical device security
  • Cybersecurity policies

While the guidelines are voluntary and the publication notes that they may not be appropriate in all security environments, they could be used to establish a standard of care for subsequent data breach and negligence claims (including potential OCR enforcement actions). Taken together, players in the health care space should proactively compare their current practices against the DHHS recommendations and consider documenting any exceptions or variances from the suggested controls. It may be necessary to improve current processes, procedures and systems in order to demonstrate appropriate due diligence – this in the event that an organization is faced with a data breach or OCR audit down the road.

Of course, and toward that end, the health care and cybersecurity professionals at Michelman & Robinson, LLP are here to assist and make the process as easy – and understandable – as can be. Feel free to contact Scott Lyon at (714) 557-7990 or or Mark Zafrin at (212) 730-7700 or

This blog post is not offered as, and should not be relied on as, legal advice. You should consult an attorney for advice in specific situations.