Is Cybersecurity on Your 2019 Work Plan?

January 10, 2019 Alerts and Newsletters

On December 28, 2018, the U.S. Department of Health and Human Services ("HHS") closed out the year by releasing long-awaited voluntary cybersecurity guidelines for the health care industry.[1] The four-volume publication, developed in collaboration with industry partners, outlines 5 of the most prevalent cybersecurity threats and 10 cybersecurity practices to mitigate those threats. The new guidelines have caused health care organizations to begin the New Year by considering whether a new industry standard has been established for reasonable and appropriate safeguards to protect against cyber-attacks.

The guidelines are the product of the Cybersecurity Act of 2015,[2] which directed the Secretary of HHS to establish, through a collaborative process with government and health care industry stakeholders, a common set of voluntary, consensus-based, and industry-led guidelines to reduce cybersecurity risks in a cost-effective manner.[3] Significantly, the guidelines recognize that health care organizations vary significantly by size, type, technological sophistication, and availability of resources. Like the HIPAA Security Rule, the guidelines permit individual health care organizations to tailor their cybersecurity practices to their own individual needs. To help entities determine appropriate cybersecurity practices, the guidelines offer two separate technical volumes—one for small health care organizations, and one for medium and large health care organizations. As underscored by the guidelines, it is critical that each health care organization, regardless of size, evaluate its vulnerabilities to cybersecurity threats and take steps to ensure that it is reasonably protected from cyber-attacks. Hackers typically look for targets that require the least time, effort, and money to exploit. No entity, no matter how small, is safe!

The following 5 cybersecurity threats were identified as the most prevalent in health care organizations: e-mail phishing attacks; ransomware attacks; loss or theft of equipment or data, insider, accidental or intentional data loss; and attacks against connected medical devices that may affect patient safety. The guidelines recommend the following 10 cybersecurity practices to mitigate against the foregoing risks: e-mail protection systems; endpoint protection systems; access management; data protection and loss prevention; asset management; network management; vulnerability management; incident response; medical device security; and cybersecurity policies.

Cyber-attacks are an increasingly serious matter. In 2017, cyber-attacks cost small and medium-sized businesses an average of $2.2 million. And across all industries, the health care industry experiences the highest cost for data breaches, with an estimated cost of $408 per record breached in 2018 (up from $380 in 2017). Cyber-attacks can also pose serious danger to patients. As recent breaches have shown, hackers are capable of infiltrating and disrupting connected medical devices like heart monitors and freezing entire EHR systems, depriving patients of vital medical care. On top of all that, successful cyber-attacks cause serious reputational harm to affected entities.

The guidelines should remind organizational leaders that protecting against cyber-attacks is the responsibility of all workforce members, not just the IT department. Workforce members must understand and be familiar with their entities' policies and procedures, and entities are responsible for ensuring that their workforce members are in compliance with their policies and procedures. Education and training are essential at all organizational levels to prevent cyber-attacks and respond appropriately when—not if—a cyber-attack occurs.

As health care organizations embark on their 2019 work plans, they would be well advised to consider that the cybersecurity guidelines may well signal a new industry standard for protecting against cybersecurity threats. In addition, although the cybersecurity guidelines are currently voluntary, HHS may incorporate the guidelines in its audits, or require the adoption of the guidelines in the future. The full effect of the guidelines will be determined over time as they are implemented by the health care industry and interpreted by the courts. In the meantime, and in light of the new guidelines and rising cost of cyber-attacks, is your organization ringing in the New Year by prioritizing cybersecurity on its 2019 work plan?

[1] Healthcare & Pub. Health Sector Coordinating Councils, Dep't of Health & Human Servs., Health Industry Cybersecurity Practices: Managing Threats and Protecting Patients (Dec. 28, 2018),

[2] Pub. L. No. 114-113, 129 Stat. 2242 (2015).

[3] 6 U.S.C. § 1533(d)(1).

Firm Highlights


EU-U.S. Privacy Shield Invalidated: Does Your Company Have a Plan B?

On Thursday, July 16, 2020, the Court of Justice of the European Union (“CJEU”) invalidated the EU-U.S. Privacy Shield (“Privacy Shield”) in Data Protection Commissioner v. Facebook Ireland and Maximillian Schrems (Case C-311/18...


38 Verrill Attorneys, Across Four Offices, Recognized in 2020 Chambers & Partners Guide

(April 27, 2020) – Verrill has been rated as a Leading Firm in a total of ten categories and subcategories as evaluated by London-based Chambers & Partners , one of the world's most respected...


FDA Updates its Guidance on Conducting Clinical Trials During COVID-19 Public Health Emergency

On April 16, 2020, the U.S. Food & Drug Administration (“FDA”) again updated its guidance on the “Conduct of Clinical Trials of Medical Products during COVID-19 Public Health Emergency,” adding seven new questions and...


European Union GDPR—Institution

Counseled a preeminent health system and academic medical center on its compliance with the European Union General Data Protection Regulation (GDPR) in relation to its clinical and research activities, including its international research studies...


News Flash: HHS Issues Statement Removing Premarket Review Requirements for Laboratory Developed Tests (“LDTs”), Including COVID-19 LDTs

What happened? On August 19, 2020, the U.S. Department of Health and Human Services (“HHS”) issued a single paragraph statement rescinding U.S. Food and Drug Administration (“FDA”) guidance documents concerning premarket review of Laboratory...


Nearly 80 Verrill Attorneys Recognized by Best Lawyers® 2021, Including a Dozen Named Lawyers of the Year

(August 24, 2020) – Nearly 80 Verrill attorneys were recognized as "Best Lawyers" by Best Lawyers® 2021 , including 12 attorneys named “Lawyer of the Year,” a distinguished recognition for only a single lawyer...


FDA Issues Guidance on IRB Review of Non-Emergency Individual Patient Expanded Access Requests for Investigational Drugs and Biological Products to Treat COVID-19

Prompted by a substantial increase in requests for individual patient access to investigational drugs and biologics to treat COVID-19, the U.S. Food & Drug Administration (“FDA”) issued guidance on June 2, 2020 that outlines...


Multi-Site Global Research

Developed and negotiated site and coordinating center agreements in connection with a multi-site, international, National Institutes of Health (NIH)-funded study, and advised on regulatory issues related to the conduct of the study and subsequent...


Michael K. Fee to Lead Verrill’s Nationally-Recognized Health Care and Life Sciences Practice Amidst Recent Changes

(August 31, 2020) – Verrill is pleased to announce Michael K. Fee as the new leader of Verrill’s nationally-recognized Health Care & Life Sciences Group. The Group has a long history of representing a...


Conflicts of Interest

Reviewed medical center's systems, policies and procedures for identifying, assessing, and managing investigator and institutional conflicts of interest.