News & Knowledge Health PolicyMarch 25, 2019April 6, 2023 Perspectives on New HHS Cybersecurity Guidance By: Sam Cohen 2 Minute Read As healthcare organizations remain prime targets for hackers and cyber attacks, data security remains a top concern for practices and hospitals across the country. According to reports from the U.S. Office for Civil Rights (OCR), more than 13 million patients nationwide were affected by data breaches in 2018 alone. To help healthcare providers secure HIPAA-protected patient information, the U.S. Department of Health and Human Services (HHS) recently issued new guidance that outlines best practices for maintaining high-quality cybersecurity to avoid potential data breach. This newly released guide is based on the work of a specialized task force made up on more than 150 industry and government cybersecurity and healthcare experts, and it includes four individual documents: Health Industry Cybersecurity Practices: Managing Threats and Protecting Patients (Main Guidance Document) Technical Volume 1: Cybersecurity Practices for Small Healthcare Organizations (Small Organization Guidance) Technical Volume 2: Cybersecurity Practices for Medium and Large Healthcare Organizations (Larger Organization Guidance) Resources and Templates An accompanying Cybersecurity Practices Assessments Toolkit is currently in development, but it has not yet been finalized. Healthcare providers can receive an advance copy of this tool by emailing CISA405d@hhs.gov. In addition to providing background information about the effects of cyberattacks and data breaches on the healthcare industry, the Main Guidance Document details five major threats to healthcare data security. For each item, the document lists related vulnerabilities, potential consequences, and practices that can help minimize the threat. The outlined threat reduction techniques are directly tied to ten categories of cybersecurity practices (and related sub-practices) as identified by the task force. The Small Organization Guidance and Large Organization Guidance contain more in-depth discussion of these cybersecurity practices as they may relate to the size and complexity of each intended audience. This cybersecurity guidance is a valuable tool for practices looking to implement new data security strategies or strengthen existing policies. As part of the periodic review of data privacy and security policies and procedures, practice leaders should use these documents alongside other cybersecurity guidance material published by OCR to ensure they are addressing critical threats and implementing appropriate security measures. Data privacy and security are important issues for every healthcare organization, and practice leaders should take advantage of all available resources to develop effective policies and procedures. Curi members seeking additional assistance are encouraged to consult the HIPAA Final Rule Guide or reach out to our Claims and Risk Management Departments at 800.662.7917. Disclaimer: This post is written in general terms and is not a substitute for legal advice or intended to create an attorney-client relationship. Sam Cohen Sam Cohen is Curi’s Senior Vice President of Health Policy. Curi members may contact him directly at sam.cohen@curi.com and 919.878.7602. Readers also can follow him on Twitter @samuel_c_cohen. READ NEXT December 8, 2022April 6, 2023Health Policy | Practice Management Fast Facts: Medicare Physician Fee Schedule Change Click to Download Read more July 27, 2022April 6, 2023Health Policy | Liability Insurance Dobbs Decision Center Curi has compiled a collection of resources and FAQs to help physicians and practices navigate the evolving landscape after the U.S. Supreme Court’s Dobbs vs. Jackson Women’s Health Organization ruling. Read more July 7, 2022April 6, 2023Health Policy | Practice Management No Surprises Act: What You Need to Know This fact sheet boils down the No Surprises Act passed in December 2020 to the “need-to-know” basics on how it may affect your practice. Read more