Virginia Hospital Community Develops Cybersecurity Guidelines to Help Protect Health Care Information Systems in the Face of Cyber Attack Threats

May 17, 2017

Cybersecurity Task Force Established by Virginia Hospital & Healthcare Association Board of Directors Developed Virginia-Specific Best Practices and Guidelines Focused on Employee Education, Prevention, and Operational Continuity to Guard Against Attempted Incursions by Cyber Bandits

RICHMOND, VA – The recent global ransomware attack that reportedly affected an estimated 200,000 computers across North America, Europe, and Asia is a startling reminder of the hacking dangers posed to the information systems central to so much of modern life. As keepers of private health care information, members of the hospital community are acutely aware of the existence of these threats and continue to take important security steps to safeguard that data. To that end, the Virginia Hospital & Healthcare Association’s (VHHA) Board of Directors convened a Cybersecurity Task Force to develop a set of guidelines to help Virginia’s hospitals and health systems guard against attempted cyber penetration.

The guidelines were finalized this spring by the Task Force, which includes health care information security officers from hospitals and health systems across the Commonwealth. The guidelines are a set of precautionary standards organized around three key principles:

  • Educate all personnel during orientation and on an ongoing basis about safe, responsible use of computer systems to help avoid infiltration.
  • Develop and implement a prevention plan that operates automatically and is an integral part of a health system’s processes and security protocols.
  • In the event of a security breach, implement the established security incident response and continuity plan.

“For all the convenience and enhanced productivity that technology provides, it is an unfortunate reality of modern life that digital criminals are lurking online to turn technology against us for their own nefarious purposes,” said VHHA President and CEO Sean T. Connaughton. “The hospital community is
one of many industries around the globe that is well aware of these threats. In Virginia, our hospitals and health systems remain on guard against potential breaches. Our members have done that by advocating for new laws to toughen criminal penalties for cyberattacks targeting health care records, and by working collaboratively to prepare the new cybersecurity guidelines.”

The Task Force developed nearly two dozen recommendations based on the current state of affairs. These guidelines will be updated as appropriate to respond to new developments, safety protocols, emerging threats, and other related factors. The guidelines call for employee education to inform staff members about safe and proper use of computer systems, making employees aware of common tricks used by hackers to gain system access, testing employees use of recommended safeguards, and conducting internal security reviews and test drills involving workforce responses to simulated phishing e-mails, for example. Other recommendations include regular review of cybersecurity systems, the use of advanced authentication measures, strong filters, firewall configuration to block malicious IP addresses, scheduling regular anti-virus and anti-malware scans on system computers, employing web content filtering to block access to known malicious sites or content, ensuring data backup protocols so that any data corrupted or confiscated can be restored from a secure archive, locating data backup storage off-site, encrypting privileged account information, implementing a multi-segmented network, and partnering with local and federal law enforcement officials on information security awareness programs. These guidelines were in place at hospitals and health systems throughout the Commonwealth prior to the most recent worldwide ransomware attack. And the guidelines are consistent with recommendations recently released by the U.S. Department of Health & Human Services, in conjunction with federal law enforcement agencies.

During the 2017 General Assembly session, VHHA advocated for legislation to add enhanced penalties to state law for the use of ransomware as part of an effort to compromise health care computer systems containing private medical information. The legislation called for adding new language to the Code of Virginia to make it a Class 5 felony to use ransomware that denies users access to their data. Ransomware is a type of malware software designed to damage or disable computers and computer systems. Although the legislation (HB 2288 and SB 1090) did not advance during the 2017 session, VHHA and its members continue to work to protect the integrity of electronic health care records for the good or our health care system and patients.

About VHHA: The Virginia Hospital & Healthcare Association is an alliance of 107 hospitals and 30 health delivery systems that develops and advocates for sound health care policy in the Commonwealth. Its mission is to achieve excellence in both health care and health. Its vision is through the power of collaboration to be recognized as a driving force behind making Virginia the healthiest state in the nation. Connect with VHHA through Facebook, Twitter, YouTube, LinkedIn, and

Download a PDF of the press release here.


Julian Walker
Vice President of Communications
(804) 297-3193 office
(804) 304-7402 mobile