Back to News

Government Health Agencies Release Cybersecurity Guidelines

Published on

February 15, 2019

Last month, the Healthcare and Public Health Sector Coordinating Council, a government-backed coalition of hospitals and medical device manufacturers, released a “Medical Device and Health IT Joint Security Plan.” The plan outlines protections device manufacturers should take (and hospitals should demand) to reduce exposure to cyber hacking.

This follows the recent release of the “Health Industry Cybersecurity Practices: Managing Threats and Protecting Patients,” from the Department of Health and Human Services, in partnership with the Health Sector Coordinating Council, in December. The four-volume December publication is designed to provide voluntary cybersecurity practices to health care organizations of all types and sizes, ranging from local clinics to large health care systems.

The most recent publication is a result of the Cybersecurity Act of 2015, in which Congress required that a task force “identify the challenges that the healthcare industry faces when securing and protecting itself against cybersecurity threats.” The December publication was in response to a mandate set forth by the Cybersecurity Act of 2015, to develop practical cybersecurity guidelines to cost-effectively reduce cybersecurity risks for the health care industry.

The release of these guidelines follows the recent breach in 2015 to the health insurer Anthem (where the data of nearly 80 million people was compromised) and the 2017 wave of ransomware attacks at 16 British hospitals that forced emergency patient care to be diverted elsewhere. The continuous technological advances of the health care industry make it significantly susceptible to potential compromise of data and medical devices themselves. Nearly all medical equipment and devices are or have the capability of connecting to the internet. The development and widespread use of personal health devices imbedded with software that are or can be used for medical purposes has added to the medical and health information that is susceptible to a cyberattack.  The three major threats in the health industry are:

  • That a medical device will not perform as intended with the potential to cause significant harm, i.e. pacemaker malfunctions.
  • Protected health information is breached or, accessed, possibly leading to improper use.
  • Providers receive inaccurate health information, which may lead to improper diagnoses and recommended treatment.

A highly experienced compliance consultant for medical device manufacturers recently explained that the U.S. Food and Drug Administration regulates post-market devices by enabling manufacturers to take design action when a threat becomes apparent without requiring that an application (510(k)) be filed.

He also explained that for pre market devices, U.S. regulations are lacking in any similar provision that is intended to protect against a cyber-attack. However, the applicable European standard (IEC 62304) requires all medical device manufacturers to have cyber security provisions pertaining to the protection of the devices. This standard provides a framework of software development life cycle processes with activities and tasks necessary for the safe design and maintenance of medical devices.

Even though this standard is not directly enforceable in the U.S., a large majority of manufacturers produce devices that are used in both the U.S. and Europe, and thus choose to apply the European standard to all the devices they manufacture.If you are a health care organization with questions on these competing standards and what you should do to protect your electronic information, please reach out to me or anyone in our Health Law Industry Group.


Related News

View More News
News Alert
March 22, 2024

More Government Scrutiny of Private Equity’s Role in Healthcare, Including Nursing Facilities

On March 5, 2024, the U.S. Department of Health and Human Services (HHS), F...

Learn More
Press Release
March 15, 2024

Barley Snyder Partner Jeff Lobach Selected to CPBJ Power 100 List for Fourth Consecutive Year

For Immediate Release York, PA – For the fourth consecutive year, par...

Learn More
Newsletter
February 23, 2024

Barley Snyder 2023 Year In Review

Check out what the professionals of Barley Snyder have been up to in 2023 a...

Learn More

Other Upcoming Events

View All Upcoming Events
May
10
12:00 pm
-
5:00 pm
event
Location

Title IX Training: New Regulations & Updates – An Extension of the Employment Law Seminar

Learn More
Apr
10
12:00 pm
-
6:00 pm
event
Location

LendiCon 2024

Learn More
May
10
8:00 am
-
5:00 pm
event
Location

41st Annual Employment Law Seminar

Learn More

Get in Touch

Our attorneys, paralegals and staff look forward to hearing from you. Please reach out to let us know how we can help.

Get In Touch
RECOGNIZED IN
Super Lawyers
Best Law Firms US News
Best Lawyers