New cybersecurity best practices from the Department of Health and Human Services are more than helpful suggestions for provider organizations—they set security practices that are likely to become the de facto standard industry wide.
The new guidance, available here, should not be ignored, says Bruce Armon, a health law partner in Philadelphia-based Saul Ewing Arnstein & Lehr. The federal agency expects its guidance to be followed, he says.
HHS wants to see adequate cybersecurity technology and processes, personnel trained in cyber awareness and additional appropriate controls, emphasizes Marcus Christian, a partner in the Mayer Brown law firm in Washington.
“This is not just an IT problem, as the legal, privacy and HR departments will all be involved. Regulators are being more actively involved in high-level standards and particular guidance, and they want to see a formal security program with a customized incident response plan,” Christian says. “Failure to implement will lead to negative consequences in the future if appropriate controls are not put in place.”
Christian also cautions that state attorneys’ general and other regulators also are…
