Skip to Main Content
Services Talent Knowledge
Site Search


Our attorneys stay on top of changes in legislation, agency regulations, case law, and industry trends—then craft timely legal alerts to keep clients up to date on legal developments important to their business.

January 10, 2019

Department of Health and Human Services Releases Cybersecurity Guidance and Resources Tailored to Health Industry

A series of recent guidance documents published by the Department of Health and Human Services (HHS) titled Health Industry Cybersecurity Practices: Managing Threats and Protecting Patients states the cost of data breaches for health care organizations is on the rise, increasing from $380 per breached record in 2017 to $408 per record in 2018. The average cost of a data breach for health care organizations is estimated to be $2.2 million. The guidance identifies common cybersecurity issues health care organizations face and provides cybersecurity practices these organizations can implement to mitigate any identified threats or vulnerabilities.

The guidance, which was created due to a directive in the Cybersecurity Act of 2015, is the product of a collaborative effort by health care and cybersecurity industry experts in both the public and private sectors. The guidance includes four documents, described in more detail as follows:

"Health Industry Cybersecurity Practices: Managing Threats and Protecting Patients" (Main Publication)

This document provides an overview of current cybersecurity threats facing the health care industry and lists the five most common cybersecurity threats as:

  1. Email phishing attacks
  2. Ransomware attacks
  3. Loss or threat of equipment or data
  4. Insider data loss, either accidental or intentional
  5. Attacks against connected medical devices that may affect patient safety

For each threat, the document describes vulnerabilities, impacts, and practices for health care organizations to consider. Providers looking to mitigate these five threats are directed to review the technical volumes, which provide cybersecurity practices appropriate for small (Technical Volume 1) and medium to large (Technical Volume 2) organizations.

"Technical Volume 1: Cybersecurity Practices for Small Health Care Organizations"

This document provides ten cybersecurity practices for small health care organizations, which may not have dedicated information technology (IT) and security staff due to limited resources. Cybersecurity practices include the following, each with sub-practices, to mitigate common cybersecurity threats:

  1. Email protection systems
  2. Endpoint protection systems
  3. Access management
  4. Data protection and loss prevention
  5. Asset management
  6. Network management
  7. Vulnerability management
  8. Incident response
  9. Medical device security
  10. Cybersecurity policies

"Technical Volume 2: Cybersecurity Practices for Medium and Large Health Care Organizations"

This document provides cybersecurity practices for medium and large health care organizations, which may operate in more complex legal, operational, and regulatory environments. The categories of cybersecurity practices covered in Technical Volume 2 are similar but more expansive than those addressed in Technical Volume 1 due to the presence of more interconnected, complex IT systems in these larger organizations.

"Resources and Templates" 

This document provides additional resources to supplement the main publication and technical volumes, including a glossary of common terms and an overview of the cybersecurity practices and how they align with the NIST Cybersecurity Framework. This document also provides a list of free resources and template documents relating to the threats and concepts covered in the guidance documents.

In addition, HHS is in the process of developing a "cybersecurity practices assessments toolkit" to help organizations develop action plans to address security threats using a proposed assessment methodology.

If you have any questions regarding the content of this alert, please contact Bridget C. Steele, associate, at  or 716.858.3704.


Click here to sign up for alerts, blog posts, and firm news.

Featured Media


NYS Siting Board Grants Developer's Petition for Relief From County's Unreasonable Delay


Horseback Rider Assumes Risk of "Green Broke" Horse


New York Adult Survivors Act Set to Expire


NYS Appellate Court Reverses in Favor of Policyholder in Ensuing Loss Case


Temporary Health Care Staffing Agencies Can No Longer Charge for Hiring Their Personnel


The First Department Addresses When a Party Is Entitled to Treble Damages Pursuant to Judiciary Law §487

This site uses cookies to give you the best experience possible on our site and in some cases direct advertisements to you based upon your use of our site.

By clicking [I agree], you are agreeing to our use of cookies. For information on what cookies we use and how to manage our use of cookies, please visit our Privacy Statement.

I AgreeOpt-Out