Is Cybersecurity on Your 2019 Work Plan?

January 10, 2019 Alerts and Newsletters

On December 28, 2018, the U.S. Department of Health and Human Services ("HHS") closed out the year by releasing long-awaited voluntary cybersecurity guidelines for the health care industry.[1] The four-volume publication, developed in collaboration with industry partners, outlines 5 of the most prevalent cybersecurity threats and 10 cybersecurity practices to mitigate those threats. The new guidelines have caused health care organizations to begin the New Year by considering whether a new industry standard has been established for reasonable and appropriate safeguards to protect against cyber-attacks.

The guidelines are the product of the Cybersecurity Act of 2015,[2] which directed the Secretary of HHS to establish, through a collaborative process with government and health care industry stakeholders, a common set of voluntary, consensus-based, and industry-led guidelines to reduce cybersecurity risks in a cost-effective manner.[3] Significantly, the guidelines recognize that health care organizations vary significantly by size, type, technological sophistication, and availability of resources. Like the HIPAA Security Rule, the guidelines permit individual health care organizations to tailor their cybersecurity practices to their own individual needs. To help entities determine appropriate cybersecurity practices, the guidelines offer two separate technical volumes—one for small health care organizations, and one for medium and large health care organizations. As underscored by the guidelines, it is critical that each health care organization, regardless of size, evaluate its vulnerabilities to cybersecurity threats and take steps to ensure that it is reasonably protected from cyber-attacks. Hackers typically look for targets that require the least time, effort, and money to exploit. No entity, no matter how small, is safe!

The following 5 cybersecurity threats were identified as the most prevalent in health care organizations: e-mail phishing attacks; ransomware attacks; loss or theft of equipment or data, insider, accidental or intentional data loss; and attacks against connected medical devices that may affect patient safety. The guidelines recommend the following 10 cybersecurity practices to mitigate against the foregoing risks: e-mail protection systems; endpoint protection systems; access management; data protection and loss prevention; asset management; network management; vulnerability management; incident response; medical device security; and cybersecurity policies.

Cyber-attacks are an increasingly serious matter. In 2017, cyber-attacks cost small and medium-sized businesses an average of $2.2 million. And across all industries, the health care industry experiences the highest cost for data breaches, with an estimated cost of $408 per record breached in 2018 (up from $380 in 2017). Cyber-attacks can also pose serious danger to patients. As recent breaches have shown, hackers are capable of infiltrating and disrupting connected medical devices like heart monitors and freezing entire EHR systems, depriving patients of vital medical care. On top of all that, successful cyber-attacks cause serious reputational harm to affected entities.

The guidelines should remind organizational leaders that protecting against cyber-attacks is the responsibility of all workforce members, not just the IT department. Workforce members must understand and be familiar with their entities' policies and procedures, and entities are responsible for ensuring that their workforce members are in compliance with their policies and procedures. Education and training are essential at all organizational levels to prevent cyber-attacks and respond appropriately when—not if—a cyber-attack occurs.

As health care organizations embark on their 2019 work plans, they would be well advised to consider that the cybersecurity guidelines may well signal a new industry standard for protecting against cybersecurity threats. In addition, although the cybersecurity guidelines are currently voluntary, HHS may incorporate the guidelines in its audits, or require the adoption of the guidelines in the future. The full effect of the guidelines will be determined over time as they are implemented by the health care industry and interpreted by the courts. In the meantime, and in light of the new guidelines and rising cost of cyber-attacks, is your organization ringing in the New Year by prioritizing cybersecurity on its 2019 work plan?

[1] Healthcare & Pub. Health Sector Coordinating Councils, Dep't of Health & Human Servs., Health Industry Cybersecurity Practices: Managing Threats and Protecting Patients (Dec. 28, 2018),

[2] Pub. L. No. 114-113, 129 Stat. 2242 (2015).

[3] 6 U.S.C. § 1533(d)(1).

Firm Highlights


High-Profile Former U.S. Department of Justice Prosecutor, David Lazarus, Joins Verrill’s Health Care and Life Sciences Practice

(November 29, 2021) – Verrill is pleased to welcome David Lazarus to the firm’s Boston office as a Partner in its nationally recognized Health Care & Life Sciences Group. Lazarus is a former Department...


Verrill Adds Lead Prosecutor On Insys Case To Boston Office- Law360

On November 18, 2021 Law360 published the article "Verrill Adds Lead Prosecutor On Insys Case To Boston Office," featuring David Lazarus , a recent addition to the Health Care and Life Sciences group at...


How Growing Cyber Scrutiny Affects Corporate Compliance

Verrill attorneys David Lazarus , Michael Fee , and Jeffery Smagula authored an article published in Law360 on December 3, 2021 entitled "How Growing Cyber Scrutiny Affects Corporate Compliance." In the article Lazarus, Fee...


Pair of Recent Victories Hearten Counsel for MassHealth Providers

Verrill attorney David G. Lazarus was recently mentioned in the Massachusetts Lawyers Weekly article "Pair of Recent Victories Hearten Counsel for MassHealth Providers." The article covers two appellate court decisions regarding the boundaries to...


The Boston Globe on Federal Prosecutor Joining Verrill


James Roosevelt, Jr. Published in ScienceDirect

Verrill attorney James Roosevelt Jr. was published in the February 2022 volume of ScienceDirect , a scientific, technical, and medical research publication. His article “A Federal Indian Health Insurance Plan: Fulfilling a Solemn Obligation...


Verrill's Strategic Growth in Key Areas Shared in Mainebiz

On Monday, November 15th Verrill was listed as a Maine law firm who is innovating ways to hire talent in the Mainebiz article "Remote Work Changes Hiring Strategies for Some Maine Law Firms." The...


Fraud and Abuse Investigations Handbook for the Health Care Industry, Second Edition.

Health care attorney Paul Shaw co-authored Fraud and Abuse Investigations Handbook for the Health Care Industry, Second Edition with Robert Griffith, published by the American Health Law Association (AHLA). Paul and Robert provide legal...


65 Verrill Attorneys Recognized by Best Lawyers® 2022, Including Eight Named Lawyers of the Year

(August 31, 2021) – 65 Verrill attorneys were recognized as "Best Lawyers" by Best Lawyers® 2022 , including 8 attorneys named “Lawyer of the Year,” a distinguished recognition for only a single lawyer in...

Contact Verrill at (855) 307 0700