HHS releases voluntary cybersecurity guidance

The U.S. Department of Health and Human Services (HHS) has released voluntary guidance for health care organizations titled Health Industry Cybersecurity Practices (HICP): Managing Threats and Protecting Patients.

Mandated under the Cybersecurity Act of 2015, the HCIP report was developed by a task force of more than 150 cybersecurity and healthcare experts.

HHS said protecting against cyberattacks is like fighting a deadly virus. It takes mobilization and coordination of resources across myriad public and private stakeholders, including hospitals, IT vendors, medical device manufacturers, and governments to minimize risks and impact.

The average cost of a data breach per healthcare organization is $2.2 million, according to the HHS report.

HHS officials said that cybersecurity remains a top priority for the agency and stressed the importance of private-public partnerships -- like the one used to write HICP -- to protect critical infrastructure. In the coming months, HHS will work to raise awareness of the publication and to implement the suggested cybersecurity practices across the healthcare industry, officials said.

The report listed the five most relevant and current threats to the industry as phishing, ransomware, loss of theft of equipment or data, insider accidental data loss and attacks against digital health tools.