Publications & Podcasts

Is Cybersecurity on Your 2019 Work Plan?

January 10, 2019 Alerts and Newsletters

On December 28, 2018, the U.S. Department of Health and Human Services ("HHS") closed out the year by releasing long-awaited voluntary cybersecurity guidelines for the health care industry.[1] The four-volume publication, developed in collaboration with industry partners, outlines 5 of the most prevalent cybersecurity threats and 10 cybersecurity practices to mitigate those threats. The new guidelines have caused health care organizations to begin the New Year by considering whether a new industry standard has been established for reasonable and appropriate safeguards to protect against cyber-attacks.

The guidelines are the product of the Cybersecurity Act of 2015,[2] which directed the Secretary of HHS to establish, through a collaborative process with government and health care industry stakeholders, a common set of voluntary, consensus-based, and industry-led guidelines to reduce cybersecurity risks in a cost-effective manner.[3] Significantly, the guidelines recognize that health care organizations vary significantly by size, type, technological sophistication, and availability of resources. Like the HIPAA Security Rule, the guidelines permit individual health care organizations to tailor their cybersecurity practices to their own individual needs. To help entities determine appropriate cybersecurity practices, the guidelines offer two separate technical volumes—one for small health care organizations, and one for medium and large health care organizations. As underscored by the guidelines, it is critical that each health care organization, regardless of size, evaluate its vulnerabilities to cybersecurity threats and take steps to ensure that it is reasonably protected from cyber-attacks. Hackers typically look for targets that require the least time, effort, and money to exploit. No entity, no matter how small, is safe!

The following 5 cybersecurity threats were identified as the most prevalent in health care organizations: e-mail phishing attacks; ransomware attacks; loss or theft of equipment or data, insider, accidental or intentional data loss; and attacks against connected medical devices that may affect patient safety. The guidelines recommend the following 10 cybersecurity practices to mitigate against the foregoing risks: e-mail protection systems; endpoint protection systems; access management; data protection and loss prevention; asset management; network management; vulnerability management; incident response; medical device security; and cybersecurity policies.

Cyber-attacks are an increasingly serious matter. In 2017, cyber-attacks cost small and medium-sized businesses an average of $2.2 million. And across all industries, the health care industry experiences the highest cost for data breaches, with an estimated cost of $408 per record breached in 2018 (up from $380 in 2017). Cyber-attacks can also pose serious danger to patients. As recent breaches have shown, hackers are capable of infiltrating and disrupting connected medical devices like heart monitors and freezing entire EHR systems, depriving patients of vital medical care. On top of all that, successful cyber-attacks cause serious reputational harm to affected entities.

The guidelines should remind organizational leaders that protecting against cyber-attacks is the responsibility of all workforce members, not just the IT department. Workforce members must understand and be familiar with their entities' policies and procedures, and entities are responsible for ensuring that their workforce members are in compliance with their policies and procedures. Education and training are essential at all organizational levels to prevent cyber-attacks and respond appropriately when—not if—a cyber-attack occurs.

As health care organizations embark on their 2019 work plans, they would be well advised to consider that the cybersecurity guidelines may well signal a new industry standard for protecting against cybersecurity threats. In addition, although the cybersecurity guidelines are currently voluntary, HHS may incorporate the guidelines in its audits, or require the adoption of the guidelines in the future. The full effect of the guidelines will be determined over time as they are implemented by the health care industry and interpreted by the courts. In the meantime, and in light of the new guidelines and rising cost of cyber-attacks, is your organization ringing in the New Year by prioritizing cybersecurity on its 2019 work plan?

[1] Healthcare & Pub. Health Sector Coordinating Councils, Dep't of Health & Human Servs., Health Industry Cybersecurity Practices: Managing Threats and Protecting Patients (Dec. 28, 2018),

[2] Pub. L. No. 114-113, 129 Stat. 2242 (2015).

[3] 6 U.S.C. § 1533(d)(1).

Firm Highlights


Andrew Nevas appears before Connecticut Supreme Court regarding COVID rent dispute


High-Profile Former U.S. Department of Justice Prosecutor, David Lazarus, Joins Verrill’s Health Care and Life Sciences Practice

(November 29, 2021) – Verrill is pleased to welcome David Lazarus to the firm’s Boston office as a Partner in its nationally recognized Health Care & Life Sciences Group. Lazarus is a former Department...


Copyright Litigation: Software

Defended equipment manufacturer in copyright dispute involving firmware for digital subscriber line access multiplexers (“DSLAMs”). Case resolved favorably.


Incidental Take of Migratory Birds Prohibited Once Again as New MBTA Rule Becomes Effective

A U.S. Fish and Wildlife Service (“FWS”) final rule that presumptively reinstates liability for incidental take under the Migratory Bird Treaty Act (“MBTA”) becomes effective on December 3. The new rule revokes a Trump-era...


Medicare's Future: Improving Health Equity and Implications for Employers

On Wednesday, December 15th at 2 pm join the National Academy of Social Insurance , Verrill , the New England Council , and the Massachusetts Hospital Association for a virtual discussion on the future...


Connecticut Supreme Court Rejects Tough Delaware Standard in Allowing Member Inspections of Manager-Managed LLC Books and Records – Or Does It?

Before allowing the inspection of corporate books and records, Delaware courts require a shareholder seeking information about possible mismanagement to come forward with evidence demonstrating a reasonable basis to suspect mismanagement. [1] In Benjamin...


Maine Rural Water Association Annual Conference

On Wednesday, December 8th from 12:40PM to 2:10PM Verrill Attorney Mathew Todaro will be speaking at the Maine Rural Water Association's 41st Annual Conference. Mat and two other speakers will be presenting "PFAS and...


2021 Year End Employee Benefit Plan Amendments

Health and Welfare Plans Employers that made available COVID-19 relief and benefit enhancements in 2020 – such as the increased carry over limit and extended grace period for health flexible spending accounts – need...


Trademark Litigation: Software

Represented trademark owner in litigation with foreign software company. Successfully defeated motion to dismiss on jurisdictional grounds, which was affirmed on appeal. Also successfully defeated summary judgment motion, which resulted in case settling before...


Maine Rural Water Association Annual Conference with Verrill Attorney Mathew J. Todaro

Verrill Attorney Mathew J. Todaro, along with two others, will be presenting at the Maine Rural Water Association’s 41 st Annual Conference and Trade Show. Their presentation, “PFAS and Practicality Regulatory Updates with a...

Contact Verrill at (855) 307 0700