Posted on 05/06/2019 at 01:36 PM by John Lande
The Department of Health and Human Services (“HHS”) has released the “Health Industry Cybersecurity Practices: Managing Threats and Protecting Patients” guide. The publication contains a comprehensive summary of cybersecurity threats for the healthcare industry, and technical details for mitigating those cybersecurity risks. The technical volumes in the publication are particularly helpful because they reference specific sections of the cybersecurity standards published by the National Institute of Standards and Technology (“NIST”). Organizations that are trying to ensure NIST compliance will therefore find the HHS guide useful in assessing their own cybersecurity preparedness.
Even though HHS produced this publication for hospitals and healthcare organizations, many of the recommendations are broadly applicable to organizations of all kinds. Many of the same procedures and practices can secure organizations across all industries from cybersecurity threats. For example, this blog has previously covered the regulatory framework produced by the New York Department of Financial Services. That framework, like the recent HHS publication, is a useful framework for all organizations that are concerned about cybersecurity preparedness. Some of the key lessons from these rules and guidance documents are:
Phishing Training. This blog has covered numerous cases where phishing schemes have led to cybersecurity incidents. Phishing is a challenging threat vector to mitigate, because unlike many other kinds of risks it is not possible to purchase hardware or software to completely eliminate the risk. Ultimately, organizations depend on their employees to identify and quarantine phishing attempts. Organizations must therefore train their employees to identify suspected phishing attempts, and avoid interacting with fraudsters.
Elevate Cybersecurity. Cybersecurity is not just an issue for the IT department. Senior leadership needs to be involved in understanding cybersecurity threats and implementing controls to reduce those risks. This could take the form of hiring a new manager or officer, or adding responsibilities to an existing position. In either case, senior management should devote time to understanding cybersecurity risks and mitigating those risks.
Conduct Vulnerability Assessments. Periodic vulnerability tests are an important part of cybersecurity. These tests can take the form of phishing tests for employees and penetration testing of an organization’s external firewalls. Cybersecurity is constantly evolving, so organizations need to make sure they are adapting to the latest set of threats.
Implement Controls. Cybersecurity depends on human judgment, which is never perfect. Organizations can expect that some employees will fall victim to a phishing scheme, so it is important that no single employee has the ability to do something that is devastating to the organization. This can mean limiting the amount of funds any single employee is capable of transferring, or limiting access to certain kinds of sensitive information. Ultimately, organizations need to purchase insurance as a final form of risk mitigation. However, as this blog has previously covered, simply buying “cyber” insurance may not mean an organization is completely covered.
Prepare for the Worst. A cybersecurity incident is not inevitable, but organizations should plan like it is. That means organizations should have an incident response plan that identifies the legal, computer forensic, and insurance professionals the organization plans to contact in the event of an incident. Organizations should review that plan from time to time to make sure that the organization is ready if an incident occurs.
Organizations today have the benefit of resources like the New York Department of Financial Services regulations and HHS’s publication to guide cybersecurity readiness. It doesn’t matter that these were prepared for financial institutions and health care organizations, because the lessons are broadly applicable to all kinds of organizations.
Questions, Contact us today.
The material, whether written or oral (including videos) that is posted on the various blogs of Dickinson Law is not intended, nor should it be construed or relied upon, as legal advice. The opinions expressed in the various blog posting are those of the individual author, they may not reflect the opinions of the firm. Your use of the Dickinson Law blog postings does NOT create an attorney-client relationship between you and Dickinson, Mackaman, Tyler & Hagen, P.C. or any of its attorneys. If specific legal information is needed, please retain and consult with an attorney of your own selection.