HHS Releases Guidelines to Combat Ransomware, Insider Threats, IoT Attacks

The Department of Health and Human Services (HHS) last week released its Health Industry Cybersecurity Practices, a set of voluntary cybersecurity guidelines for the private sector that leverages the National Institute of Standards and Technology (NIST) Cybersecurity Framework to address cybersecurity issues across healthcare organizations of all sizes.

The guidance, required by the Cybersecurity Act of 2015 and released on December 28, breaks organizations into small, medium, or large categories, and offers best practices and how they apply to each type of organization. The guidance also highlights the most prevalent threats to healthcare organizations, including phishing, ransomware, equipment or data theft, insider threats to data, and attacks against connected medical devices. HHS included real-world scenarios to illustrate risks, including the example of attackers using an email that appears to be from a credit card company to trick a healthcare organization into downloading malware.

“We do not expect the practices provided in this publication to become a de facto set of requirements that all organizations must implement,” said Erik Decker and Julie Chua, co-leads for the Health Industry Cybersecurity Practices report. “We felt that the best approach to ‘moving the cybersecurity needle’ was to leverage the NIST Cybersecurity Framework, introducing the Framework’s terms to start educating health sector professionals on an important and generally accepted language of cybersecurity.”

The 10 identified practices are:

  • Email protection systems
  • Endpoint protection systems
  • Access management
  • Data protection and loss prevention
  • Asset management
  • Network management
  • Vulnerability management
  • Incident response
  • Medical device security
  • Cybersecurity policies

In addition to the practices, the document includes sub-practices tailored to different types of organizations. For example, email system configuration is included as a sub-practice under email protection systems for small organizations, workforce education is included for medium-sized organizations, and digital signatures are suggested for large organizations.

Recent