The Department of Health and Human Services (HHS) recently released a report titled “Health Industry Cybersecurity Practices: Managing Threats and Protecting Patients.” HHS details the following notable statistics to underscore the need for continuing improvement in cybersecurity for those in the healthcare industry: (1) in the United States, four out of five physicians have reported experiencing some form of cyberattack; (2) ninety percent of small businesses do not use any data protection for customer information (including the healthcare industry), (3) fifty-eight percent of malware attack victims are small businesses, and (4) healthcare has the highest data breach cost per record of any industry — almost double of the second highest industry, the financial sector.  These statistics underscore the need for a robust cybersecurity plan for anyone in the healthcare industry, especially smaller companies or providers who may have traditionally ignored cybersecurity protection measures due to the associated costs.

HHS states they do not intend for this report to be used as official agency guidance on data privacy laws and regulations for the healthcare industry, but rather as voluntary guidelines to help reduce cybersecurity risks at healthcare providers from solo practitioners to large hospital systems. The HHS guidelines come out of the 405(d) Task Group, a reference to the section of the 2015 Cybersecurity Act requiring the group to issue voluntary guidelines. In preparing the guideline, HHS determined it was not feasible to address every cybersecurity challenge in the industry but rather to focus on the most common threats. Thus HHS chose to address only the five most prevalent types of cybersecurity threats and the ten best practices to secure against those threats. The threats and best practices identified are listed below.


  1. E-mail phishing attacks
  2. Ransomware attacks
  3. Loss or theft of equipment or data
  4. Insider, accidental, or intentional data loss
  5. Attacks against connected medical devices that may affect patient safety

Best Practices

  1. E-mail protection systems
  2. Endpoint protection systems
  3. Access management
  4. Data protection and loss prevention
  5. Asset management
  6. Network management
  7. Vulnerability management
  8. Incident response
  9. Medical device security
  10. Cybersecurity policies

It is important to note that this report considered recommendations made by numerous federal agencies (including the Centers for Medicare and Medicaid Services (CMS) and the Food and Drug Administration) and while it should not be considered legally binding agency guidance, it may inform these agencies thinking of applicable laws and regulations. Those in the healthcare industry would be well served to continue to improve their cybersecurity programs, especially to the extent they can make improvements that are related to the best practices outlined in this report. For the full report please see the following link.