Earlier this month, the Department of Health and Human Services (HHS) released a concept paper that outlines the Department’s cybersecurity strategy for the healthcare sector. The concept paper builds on the Biden Administration’s National Cybersecurity Strategy, specifically focusing on strengthening resilience for hospitals, patients, and communities threatened by cyber-attacks. The paper arrives at a crucial time for healthcare providers since, according to the HHS Office for Civil Rights (OCR), large breach cyber incidents in the healthcare sector have increased 93% from 2018-2022, with a 278% increase in large breaches involving ransomware.
The HHS healthcare cybersecurity strategy is comprised of four concurrent components, with the overarching goal of strengthening cyber resiliency in the healthcare sector. The four components established by HHS are:
- Establish voluntary cybersecurity performance goals for the healthcare sector;
- Provide resources to incentivize and implement these cybersecurity practices;
- Implement an HHS-wide strategy to support greater enforcement and accountability; and
- Expand and mature the one-stop shop within HHS for healthcare sector cybersecurity.
Under the first component, HHS plans to utilize industry input to establish and publish voluntary sector-specific cybersecurity performance goals with the intention of setting a clear direction for industry and helping to inform potential future regulatory action. Forthcoming Healthcare and Public Health Sector-Specific Cybersecurity Performance Goals (HPH CPGs) will assist healthcare providers in prioritizing implementation of high-impact cybersecurity practices. HPH CPGs will include both “essential” goals to outline minimum foundational practices for cybersecurity performance and “enhanced” goals to encourage adoption of more advanced practices.
To carry out its second component, HHS intends to work with Congress to obtain new authority and funding to both administer financial support for domestic hospital investments in cybersecurity and, in the long term, enforce new cybersecurity requirements through the imposition of financial consequences for hospitals. HHS envisions the establishment of two programs:
- An upfront investments program, to help high-need healthcare providers, such as low-resourced hospitals, cover the upfront costs associated with implementing “essential” HPH CPGs, and
- An incentive program to encourage all hospitals to invest in advanced cybersecurity practices to implement “enhanced” HPH CPGs.
According to the third component, HHS plans to propose incorporation of HPH CPGs into existing regulations and programs that will inform the creation of new enforceable cybersecurity standards. Forthcoming proposed HHS actions include new cybersecurity requirements for hospitals through Medicare and Medicaid, as well as an update to the HIPAA Security Rule to include new cybersecurity requirements.
Lastly, the fourth component calls for HHS to mature its “one-stop shop” cybersecurity support function for the healthcare sector within the Administration of Strategic Preparedness and Response (ASPR) to more effectively enable industry to access federal government support and services. HHS hopes that a one-stop shop will enhance coordination within HHS and the federal government, deepen government’s partnership with industry, increase HHS’s incident response capability, and promote greater uptake of government services and resources.