Private Duty

HHS lays out ‘voluntary cybersecurity practices’ for health care providers

HHS recently released suggested measures to protect health care businesses from cyberattacks on their electronic health record (EHR) systems and protected health information (PHI).

Included among threats HHS says agencies should watch for is ransomware, which has become a common hacking exploit in health care.

HHS announced it was issuing the guidance in keeping with the Cybersecurity Act of 2015, which directed the agency to “develop practical cybersecurity guidelines to cost-effectively reduce cybersecurity risks for the health care industry.”

Threats include:

  • E-mail phishing attacks;
  • Ransomware attacks;
  • Loss or theft of equipment or data;
  • Insider, accidental or intentional data loss; and
  • Attacks against connected medical devices that may affect patient safety.

Ransomware, a hack that locks the victim’s computer systems until the owner pays a fee, first began showing up in health care at private duty agencies and insurers in 2015.

Over time it has spread to hospitals and independent practices.

And it shows no sign of slowing down: One cybersecurity analysis firm has predicted “ransomware damage costs will rise to $11.5 billion in 2019 and one business will fall victim to a ransomware attack every 14 seconds by that time.”

The 10 practices for defense against these threats that HHS proposes include cybersecurity policies, incident response and endpoint protection systems.

“Just as we are able to protect our patients from infection,” HHS says, “we should all work towards protecting patient data to allow physicians and caregivers to trust the data and systems that enable quality health care.

HHS emphasizes what providers stands to lose if they’re hacked: data breaches cost the U.S. health care system $6.2 billion in 2016, and “the presence of ransomware (or any malware) on a covered entity’s or business associate’s computer systems is a security incident under the Health Insurance Portability and Accountability Act (HIPAA) Security Rule.” — Roy Edroso (

Related link: View the HHS Office for Civil Rights press release at Read more about managing threats and protecting patients at