Skip to Main Content
Services Talent Knowledge
Site Search


Our attorneys stay on top of changes in legislation, agency regulations, case law, and industry trends—then craft timely legal alerts to keep clients up to date on legal developments important to their business.

January 10, 2019

Department of Health and Human Services Releases Cybersecurity Guidance and Resources Tailored to Health Industry

A series of recent guidance documents published by the Department of Health and Human Services (HHS) titled Health Industry Cybersecurity Practices: Managing Threats and Protecting Patients states the cost of data breaches for health care organizations is on the rise, increasing from $380 per breached record in 2017 to $408 per record in 2018. The average cost of a data breach for health care organizations is estimated to be $2.2 million. The guidance identifies common cybersecurity issues health care organizations face and provides cybersecurity practices these organizations can implement to mitigate any identified threats or vulnerabilities.

The guidance, which was created due to a directive in the Cybersecurity Act of 2015, is the product of a collaborative effort by health care and cybersecurity industry experts in both the public and private sectors. The guidance includes four documents, described in more detail as follows:

"Health Industry Cybersecurity Practices: Managing Threats and Protecting Patients" (Main Publication)

This document provides an overview of current cybersecurity threats facing the health care industry and lists the five most common cybersecurity threats as:

  1. Email phishing attacks
  2. Ransomware attacks
  3. Loss or threat of equipment or data
  4. Insider data loss, either accidental or intentional
  5. Attacks against connected medical devices that may affect patient safety

For each threat, the document describes vulnerabilities, impacts, and practices for health care organizations to consider. Providers looking to mitigate these five threats are directed to review the technical volumes, which provide cybersecurity practices appropriate for small (Technical Volume 1) and medium to large (Technical Volume 2) organizations.

"Technical Volume 1: Cybersecurity Practices for Small Health Care Organizations"

This document provides ten cybersecurity practices for small health care organizations, which may not have dedicated information technology (IT) and security staff due to limited resources. Cybersecurity practices include the following, each with sub-practices, to mitigate common cybersecurity threats:

  1. Email protection systems
  2. Endpoint protection systems
  3. Access management
  4. Data protection and loss prevention
  5. Asset management
  6. Network management
  7. Vulnerability management
  8. Incident response
  9. Medical device security
  10. Cybersecurity policies

"Technical Volume 2: Cybersecurity Practices for Medium and Large Health Care Organizations"

This document provides cybersecurity practices for medium and large health care organizations, which may operate in more complex legal, operational, and regulatory environments. The categories of cybersecurity practices covered in Technical Volume 2 are similar but more expansive than those addressed in Technical Volume 1 due to the presence of more interconnected, complex IT systems in these larger organizations.

"Resources and Templates" 

This document provides additional resources to supplement the main publication and technical volumes, including a glossary of common terms and an overview of the cybersecurity practices and how they align with the NIST Cybersecurity Framework. This document also provides a list of free resources and template documents relating to the threats and concepts covered in the guidance documents.

In addition, HHS is in the process of developing a "cybersecurity practices assessments toolkit" to help organizations develop action plans to address security threats using a proposed assessment methodology.

If you have any questions regarding the content of this alert, please contact Bridget C. Steele, associate, at  or 716.858.3704.


Click here to sign up for alerts, blog posts, and firm news.

Featured Media


Website Accessibility Lawsuits: Several "Tester" Plaintiffs—Compres, Sanchez, Fontanez, Pajaro, Garcia, and Jaquez—Targeting Businesses in Recent Flurry of Lawsuits


Website Accessibility Lawsuits: Several "Tester" Plaintiffs—Competello, Fernandez, Liz, Riley, and Trippett—Targeting Businesses in Recent Flurry of Lawsuits


CDPAP Providers Get First Look at the Future of CDPAP Without FIs


New York State Fiscal Year 2025 Budget: Implications for Employers Unpacked


Lab Providers Under Increased Scrutiny From Civil and Criminal Agencies for OTC COVID-19 Test Claims


NYS Appellate Court Dismisses Claim Based on Material Misrepresentations in Insurance Application

We're Growing in DC!

We’re excited to announce Barclay Damon’s combination with Washington DC–based Shapiro, Lifschitz & Schram. SLS’s 10 lawyers, three paralegals, and four administrative staff will join Barclay Damon while maintaining their current office in DC’s central business district. Our clients will benefit from SLS’s corporate, real estate, finance, and construction litigation experience and national energy-industry profile, and their clients from our full range of services.

Read More

This site uses cookies to give you the best experience possible on our site and in some cases direct advertisements to you based upon your use of our site.

By clicking [I agree], you are agreeing to our use of cookies. For information on what cookies we use and how to manage our use of cookies, please visit our Privacy Statement.

I AgreeOpt-Out