The US Department of Health and Human Services recently updated its guide to help the private and public healthcare sectors develop cybersecurity protocols that address NIST’s Framework for Improving Critical Infrastructure Cybersecurity. The guide is a toolkit, with information and resources intended to help companies implement cybersecurity programs in the health care space. While the aim of this guidance is to help companies implement NIST’s protocols for protecting US critical infrastructure, the recommendations contained in the guide mirror other agencies’ security recommendations (for example those we have written about from the Department of Labor and the FDA).
Included in the guide are recommendations on implementing NIST’s seven-step cybersecurity framework (prioritize – orient – create a current profile – risk assessment – target profile – gap identification – action plan). Within the guide are items specific to health care providers, including conduct an enterprise wide inventory of the creation, reception, maintenance, and transmission of electronic protected health information (ePHI) and doing a business impact analysis on systems that create, receive, maintain, and transmit ePHI. The guide also contains information about external resources available to assist in cybersecurity efforts (with a list of many tools developed for the health care industry, like the Health Care and Public Health Risk Identification and Site Criticality Toolkit).
Putting it into practice: While this guide is intended as a resource rather than a compliance roadmap, it is a reminder that HHS is increasing its focus on cybersecurity.