HHS Reveals Strategy to Improve Healthcare Cybersecurity

The healthcare sector continues to be a top target for cyber-attacks. The Department of Health and Human Services (HHS) Office for Civil Rights (OCR) tracks large data breaches. OCR data shows the number of large data breaches went from 369 in 2018 to 712 in 2022, a 93% increase. There was a 278% increase in large ransomware breaches in that same period.

Cyber-attacks that impact hospitals and other healthcare organizations can jeopardize patients’ health and safety. Cyber incidents can cause ambulances to have to be rerouted, force appointments to be canceled, and delay medical procedures.

To support federal initiatives to better defend critical infrastructure from cyber incidents, HHS developed a strategy to help healthcare organizations design more effective cybersecurity programs. To execute the strategy, HHS will take the following steps:

Establish Voluntary Cybersecurity Goals for the Healthcare Sector

Currently, healthcare organizations have access to numerous cybersecurity standards and guidance that apply to the sector, which can create confusion regarding which cybersecurity practices to prioritize. HHS, with input from industry, will establish and publish voluntary sector-specific cybersecurity performance goals, setting a clear direction for the industry and helping to inform potential future regulatory action from the Department. The Healthcare and Public Health Sector-specific Cybersecurity Performance Goals (HPH CPGs) will help healthcare institutions prioritize the implementation of high-impact cybersecurity practices. HPH CPGs will include both “essential” goals to outline minimum foundational practices for cybersecurity performance and “enhanced” goals to encourage the adoption of more advanced practices.

Provide Resources to Incentivize and Implement these Cybersecurity Practices

HHS will work with Congress to obtain new authority and funding to both administer financial support for domestic hospital investments in cybersecurity and, in the long term, enforce new cybersecurity requirements through the imposition of financial consequences for hospitals. HHS envisions the establishment of two programs:

• An upfront investments program, to help high-need healthcare providers, such as low-resourced hospitals, cover the upfront costs associated with implementing “essential” HPH CPGs
• An incentive program to encourage all hospitals to invest in advanced cybersecurity practices to implement “enhanced” HPH CPGs.

Implement an HHS-wide Strategy to Support Greater Enforcement and Accountability

Funding and voluntary goals alone will not drive the cyber-related behavioral change needed across the healthcare sector. Given the increased risk profile of hospitals, HHS aspires to have all hospitals meeting sector-specific CPGs in the coming years. With additional authorities and resources, HHS will propose the incorporation of HPH CPGs into existing regulations and programs that will inform the creation of new enforceable cybersecurity standards.

HHS is working towards and expects to seek comment on these proposed actions based on the HPH CPGs:

• CMS will propose new cybersecurity requirements for hospitals through Medicare and Medicaid.
• The HHS Office for Civil Rights will begin an update to the Health Insurance Portability and Accountability Act (HIPAA) Security Rule, in spring of 2024, to include new cybersecurity requirements.

HHS will also continue to work with Congress to increase civil monetary penalties for HIPAA violations and increase resources for HHS to investigate potential HIPAA violations, conduct proactive audits, and scale outreach and technical assistance for low-resourced organizations to improve HIPAA compliance. In the interim, HHS will continue to investigate potential HIPAA violations.

Expand and Mature the One-stop Shop Within HHS for Healthcare Sector Cybersecurity

HHS will mature its “one-stop shop” cybersecurity support function for the healthcare sector within the Administration of Strategic Preparedness and Response (ASPR) to more effectively enable industry to access the support and services the Federal Government has to offer. A one-stop shop will enhance coordination within HHS and the Federal Government, deepen the government’s partnership with industry, increase HHS’s incident response capabilities, and promote greater uptake of government services and resources such as technical assistance, vulnerability scanning, and more. ASPR has the response expertise and capabilities appropriate for helping the sector navigate and access the array of cybersecurity support available from HHS and across the Federal Government.

CompliancePoint offers a suite of cybersecurity services tailored for healthcare professionals. We can help your organization design and implement an effective cybersecurity program, achieve HIPAA compliance, and obtain a HITRUST certification. Contact us at connect@compliancepoint.com to learn more.