Back to News

Government Health Agencies Release Cybersecurity Guidelines

Published on

February 15, 2019

Last month, the Healthcare and Public Health Sector Coordinating Council, a government-backed coalition of hospitals and medical device manufacturers, released a “Medical Device and Health IT Joint Security Plan.” The plan outlines protections device manufacturers should take (and hospitals should demand) to reduce exposure to cyber hacking.

This follows the recent release of the “Health Industry Cybersecurity Practices: Managing Threats and Protecting Patients,” from the Department of Health and Human Services, in partnership with the Health Sector Coordinating Council, in December. The four-volume December publication is designed to provide voluntary cybersecurity practices to health care organizations of all types and sizes, ranging from local clinics to large health care systems.

The most recent publication is a result of the Cybersecurity Act of 2015, in which Congress required that a task force “identify the challenges that the healthcare industry faces when securing and protecting itself against cybersecurity threats.” The December publication was in response to a mandate set forth by the Cybersecurity Act of 2015, to develop practical cybersecurity guidelines to cost-effectively reduce cybersecurity risks for the health care industry.

The release of these guidelines follows the recent breach in 2015 to the health insurer Anthem (where the data of nearly 80 million people was compromised) and the 2017 wave of ransomware attacks at 16 British hospitals that forced emergency patient care to be diverted elsewhere. The continuous technological advances of the health care industry make it significantly susceptible to potential compromise of data and medical devices themselves. Nearly all medical equipment and devices are or have the capability of connecting to the internet. The development and widespread use of personal health devices imbedded with software that are or can be used for medical purposes has added to the medical and health information that is susceptible to a cyberattack.  The three major threats in the health industry are:

  • That a medical device will not perform as intended with the potential to cause significant harm, i.e. pacemaker malfunctions.
  • Protected health information is breached or, accessed, possibly leading to improper use.
  • Providers receive inaccurate health information, which may lead to improper diagnoses and recommended treatment.

A highly experienced compliance consultant for medical device manufacturers recently explained that the U.S. Food and Drug Administration regulates post-market devices by enabling manufacturers to take design action when a threat becomes apparent without requiring that an application (510(k)) be filed.

He also explained that for pre market devices, U.S. regulations are lacking in any similar provision that is intended to protect against a cyber-attack. However, the applicable European standard (IEC 62304) requires all medical device manufacturers to have cyber security provisions pertaining to the protection of the devices. This standard provides a framework of software development life cycle processes with activities and tasks necessary for the safe design and maintenance of medical devices.

Even though this standard is not directly enforceable in the U.S., a large majority of manufacturers produce devices that are used in both the U.S. and Europe, and thus choose to apply the European standard to all the devices they manufacture.If you are a health care organization with questions on these competing standards and what you should do to protect your electronic information, please reach out to me or anyone in our Health Law Industry Group.


Related News

View More News
Press Release
August 15, 2024

Barley Snyder Attorneys Recognized by Best Lawyers in America

For Immediate Release Lancaster, Pa. – Forty-nine Barley Snyder attorneys have been recognized by The Best Lawyers in ...

Learn More
Press Release
July 31, 2024

Barley Snyder Partner Luke Weber Named to Pennsylvania Bar Association Bar Leadership Institute Class 2024-25

For Immediate Release Lancaster, Pa. – Barley Snyder partner Luke T. Weber has been named to the Pennsylvania Bar Associati...

Learn More
News Alert
July 22, 2024

New Pennsylvania Statute Imposes Significant Restrictions on Noncompetes for Healthcare Providers and New Patient Notification Requirements

Key takeaways: New legislation in Pennsylvania makes many noncompete clauses in employment contracts of healthcare providers ...

Learn More

Other Upcoming Events

View All Upcoming Events
Oct
23
3:00 pm
-
6:00 pm
event
Location

2024 Lancaster Business Seminar

Learn More
Oct
30
3:00 pm
-
6:00 pm
event
Location

2024 Harrisburg Business Seminar

Learn More
Nov
06
7:30 am
-
11:00 am
event
Location

Wake Up With Barley – A Morning on Real Estate 2024

Learn More

Get in Touch

Our attorneys, paralegals and staff look forward to hearing from you. Please reach out to let us know how we can help.

Get In Touch
RECOGNIZED IN
Super Lawyers
Best Law Firms US News
Best Lawyers