Health agency looks to bolster cybersecurity with new guidelines for industry

The Department of Health and Human Services has released voluntary cybersecurity guidelines for health care professionals.
hospital technology computer security
(Getty Images)

2018 was a busy year for cyberthreats to the health care sector, with more than 3 million patient records breached in the second quarter alone, according to one study.

In an effort to learn from those incidents – and build on security progress in the sector – the Department of Health and Human Services (HHS) capped the year by releasing voluntary cybersecurity guidelines for health care professionals. The document, published Dec. 28 and developed with industry experts from the Health Sector Coordinating Council, emphasizes the financial and health impacts of cyber incidents and outlines steps practitioners can take to better secure their systems.

HHS lent urgency to the guidelines’ release by underscoring that the same technologies that provide critical treatment to patients can be exploited by hackers to steal patient data or disable hospital systems. “We are under constant cyberattack in the health sector, and no organization can escape that reality,” HHS Deputy Secretary Eric Hargan said in the document’s foreword.

The University of Chicago Medicine’s Erik Decker, co-lead for the Health Sector Coordinating Council, said the guidelines responded to health care professionals’ need for security advice. “We heard loud and clear through this process that providers need actionable and practical advice, tailored to their needs, to manage modern cyberthreats,” Decker said.


A goal of the publication, which fulfills a mandate in the federal Cybersecurity Act of 2015, is to raise awareness of threats among the small and rural health care organizations that deliver the bulk of services around the country but tend to lack IT security expertise and resources.

“Most health care personnel are experts at identifying and eradicating viruses in patients, not computers,” the publication states. It warns health care professionals against assuming that their organization, “no matter how small,” is not a target of hackers, who look for organizations “that require the least time, effort, and money to exploit.”

In one example cited by HHS, a small Missouri clinic had to redirect ambulances carrying trauma and stroke patients to other facilities last July after being hit by ransomware. A similar scenario played out over Thanksgiving weekend at hospitals in Ohio and West Virginia.

It is no wonder that the guidelines list ransomware as one of five key threats to the health care sector – the digital-hostage-taking malware has been a scourge on the industry. As of October, nearly a quarter of the victims in 2018 of the disruptive ransomware strain known as SamSam were in health care, according to Symantec.

Organizations should develop a playbook for recovering from ransomware – and test it regularly, the HHS-backed guidelines say. Backup data shouldn’t be accessible on the network they are backing up, the document adds.


The document also suggests 10 basics best practices for organizations to follow, including tips for endpoint protection, incident response and the delicate issue of handling medical-device security.

Many health providers operate legacy devices laden with cybersecurity vulnerabilities, but replacing those devices can be very costly, making it one of the most challenging issues facing the industry. The new guidelines advised healthcare organizations not to make configuration changes to devices without help from the manufacturer. “Doing so may put the [organization] at risk of voiding warranties, result in legal liabilities, and, at worst, harm the patient.”

Guidelines, of course, are only as good as their implementation. Beau Woods, a cyber safety innovation fellow at the Atlantic Council, told CyberScoop that one of the biggest cybersecurity issues facing the health care sector is not a lack of guidance but rather getting those best practices “to the people who need them the most in a way that is implementable.”

Woods welcomed the guidelines’ catering of advice to health care organization of all sizes. It is important, however, that HHS and industry representatives follow up to see how widely and effectively the document is adopted, he added.

John Riggi, senior advisor for cybersecurity and risk at the American Hospital Association, said his organization was “very pleased to see cybersecurity correlated and prioritized as both a patient safety and technology issue” in the guidelines.


“Just as cyber adversaries are ever-evolving in tactics and sophistication, the health care field will continue to evolve to help mitigate the latest cyberthreats,” added Riggi, a former top cybersecurity official at the FBI.

Sean Lyngaas

Written by Sean Lyngaas

Sean Lyngaas is CyberScoop’s Senior Reporter covering the Department of Homeland Security and Congress. He was previously a freelance journalist in West Africa, where he covered everything from a presidential election in Ghana to military mutinies in Ivory Coast for The New York Times. Lyngaas’ reporting also has appeared in The Washington Post, The Economist and the BBC, among other outlets. His investigation of cybersecurity issues in the nuclear sector, backed by a grant from the Pulitzer Center on Crisis Reporting, won plaudits from industrial security experts. He was previously a reporter with Federal Computer Week and, before that, with Smart Grid Today. Sean earned a B.A. in public policy from Duke University and an M.A. in International Relations from The Fletcher School of Law and Diplomacy at Tufts University.

Latest Podcasts