HHS Publishes Voluntary Cybersecurity Practices for the Health Care Industry, Plans to Develop Supplemental Guidance

Jan 9, 2019

Reading Time : 2 min

The development of the HICP Publication was mandated by Congress through Section 405(d) of the Cybersecurity Act of 2015 (Public Law 114-113). In May 2017, the 405(d) Task Group (the “Task Group”) was formed to develop these recommendations. The HICP Publication was released at the end of December, and the Task Group is currently working to draft additional, supplementary guidance.

At this time, the HICP Publication consists of four volumes: (1) the Main Document; (2) Technical Volume 1, which provides guidance for small health care organizations; (3) Technical Volume 2, which provides guidance for medium and large health care organizations; and (4) the Resources and Templates Volume. A fifth volume, the Cybersecurity Practices Assessments Toolkit, is under development.

The Main Document provides an overview of cybersecurity risk to the health care industry, including statistics regarding recent cybersecurity incidents, and explains the purpose of the HICP Publication. It sets forth the following five current cybersecurity threats facing health care organizations:

  • Email phishing.
  • Ransomware.
  • Loss or theft of equipment or data.
  • Insider, accidental or intentional data loss.
  • Attacks against connected medical devices that may affect patient safety.

For each threat, the Main Document provides a description, as well as a real-life scenario, and suggests a variety of means by which health care entities can reduce related cybersecurity risk.

The two technical volumes identify and detail the following ten cybersecurity practices to help mitigate these threats:

  • Email protection systems.
  • Endpoint protection systems.
  • Access management.
  • Data protection and loss prevention.
  • Asset management.
  • Network management.
  • Vulnerability management.
  • Incident response.
  • Medical device security.
  • Cybersecurity policies.

The technical volumes also provide subpractices tailored to the size of the health care entity—small, medium or large.

In selecting these ten cybersecurity practices, the Task Group sought to provide a model aligned with the National Institute of Standards and Technology (NIST) Cybersecurity Framework (the “NIST Framework”). The HICP Publication explains that these ten practices are meant to help health care entities identify how to achieve the outcomes outlined in the NIST Framework. The NIST Framework is organized around five cybersecurity functions: identify, protect, detect, respond and recover.

The Resources and Templates Volume includes an appendix that maps each recommended subpractice to the NIST Framework. The Resources and Templates Volume also provides a variety of other resources, including templates for cybersecurity related policies and procedures.

The HICP Publication explains that the intent of these recommendations “is not to introduce a new framework, new methodology, or new regulatory requirement into the cybersecurity space, but rather to introduce guidance that will help raise the cybersecurity floor across the health care industry regarding our defensive and responsive cybersecurity practices.”

Health care organizations should also keep an eye out for forthcoming guidance related to the HICP Publication. The Task Group is planning to develop additional resources related to specific aspects of the HICP Publication, such as incident response and risk assessment and management.

Share This Insight

Previous Entries

Data Dive

March 3, 2025

On January 16, 2025, the Federal Trade Commission (FTC) issued a Final Rule updating the Children’s Online Privacy Protection (COPPA) Rule, significantly expanding compliance obligations for online services that collect, use, or disclose personal information from children under 13.1 The amendments impose new restrictions on targeted advertising, add data security requirements, refine parental consent mechanisms, and introduce additional compliance measures.

...

Read More

Data Dive

February 21, 2025

On January 8, 2025, the DOJ published a final rule prohibiting and restricting certain transactions that could allow persons from countries of concern, such as China, access to bulk sensitive personal data of U.S. citizens or to U.S. government-related data (regardless of volume).

...

Read More

Data Dive

January 22, 2025

On January 17, 2025, days before the inauguration, former President Joe Biden issued an executive order titled Strengthening and Promoting Innovation in the Nation's Cybersecurity (EO 14144). Building on previous efforts, including Executive Order 14028, this directive seeks to bolster cybersecurity across federal systems, supply chains and critical infrastructure from adversarial nations, particularly from the People’s Republic of China (PRC).

...

Read More

Data Dive

January 10, 2025

UPDATE: The California Privacy Protection Agency (CPPA) has extended the deadline for submitting public comments from January 14 to February 19, 2025, in response to the recent California wildfires. This extension aims to afford stakeholders additional time to provide comprehensive and detailed feedback, considering the significant challenges posed by the wildfires.

...

Read More

Data Dive

November 25, 2024

Treasury has issued a Final Rule to implement President Biden’s 2023 EO targeting U.S. investments in Chinese companies engaged in certain activities related to semiconductors, quantum computing or AI.

...

Read More

Data Dive

November 19, 2024

The European Union’s AI Office published the inaugural General-Purpose AI Code of Practice on November 14, 2024. The Code is intended to assist providers of AI models in their preparations for compliance with the forthcoming EU AI Act, to be enforced from August 2, 2025. The Code is designed to be both forward-thinking and globally applicable, addressing the areas of transparency, risk evaluation, technical safeguards and governance. While adherence to the Code is not mandatory, it is anticipated to serve as a means of demonstrating compliance with the obligations under the EU AI Act. Following a consultation period that garnered approximately 430 responses, the AI Office will be empowered to apply these rules, with penalties for nonconformity potentially reaching 3% of worldwide turnover or €15 million. Three additional iterations of the Code are anticipated to be produced within the coming five months.

...

Read More

Data Dive

November 15, 2024

On October 29, 2024, the DOJ issued a proposed rule prohibiting and restricting certain transactions that could allow persons from countries of concern, such as China, access to bulk sensitive personal data of U.S. citizens or to U.S. government-related data (regardless of volume).

...

Read More

Data Dive

October 17, 2024

During the course of any lending transaction, lenders will conduct a due diligence review of the borrower, including reviewing any relevant “know-your-customer” information.

...

Read More

© 2025 Akin Gump Strauss Hauer & Feld LLP. All rights reserved. Attorney advertising. This document is distributed for informational use only; it does not constitute legal advice and should not be used as such. Prior results do not guarantee a similar outcome. Akin is the practicing name of Akin Gump LLP, a New York limited liability partnership authorized and regulated by the Solicitors Regulation Authority under number 267321. A list of the partners is available for inspection at Eighth Floor, Ten Bishops Square, London E1 6EG. For more information about Akin Gump LLP, Akin Gump Strauss Hauer & Feld LLP and other associated entities under which the Akin Gump network operates worldwide, please see our Legal Notices page.