The Department of Health and Human Services (HHS) released the “Health Industry Cybersecurity Practices (HICP): Managing Threats and Protecting Patients” publication to provide voluntary cybersecurity practices to healthcare organizations.

The publication was in response to a mandate set forth by the Cybersecurity Act of 2015 Section 405(d), to develop practical cybersecurity guidelines to cost-effectively reduce cybersecurity risks for the healthcare industry.

“Cybersecurity is everyone’s responsibility.  It is the responsibility of every organization working in healthcare and public health.  In all of our efforts, we must recognize and leverage the value of partnerships among government and industry stakeholders to tackle the shared problems collaboratively,” said Janet Vogel, HHS Acting Chief Information Security Officer.

The HICP publication aims to provide cybersecurity practices to improve the security and safety of patients. The main document of the publication explores the five most relevant and current threats to the industry. It also recommends 10 Cybersecurity Practices to help mitigate these threats. The main document presents real-life events and statistics that demonstrate the financial and patient care impacts of cyber incidents.  It also lays out a call to action for all industry stakeholders, from C-suite executives and healthcare practitioners to IT security professionals, that protective and preventive measures must be taken now. The publication also includes two technical volumes geared for IT and IT security professionals. Technical Volume 1 focuses on cybersecurity practices for small healthcare organizations, while Technical Volume 2 focuses on practices for medium and large healthcare organizations. The last volume provides resources and templates that organizations can leverage to assess their own cybersecurity posture as well develop policies and procedures.

To download a copy of the publication, please visit www.phe.gov/405d.