The HHS has published a Healthcare Cybersecurity Strategy document outlining the steps that have been and will be taken to improve healthcare cybersecurity. In the Healthcare Cybersecurity Strategy, published on December 6, 2023, the HHS explained that action must be taken to combat the increasing number of cyberattacks on the healthcare sector.
From 2018 to 2022 there has been a 93% increase in large data breaches and a 278% increase in ransomware attacks. Cyberattacks cause outages, resulting in diversions to other healthcare facilities, delays in diagnosis and treatment, canceled appointments, and extended stays in hospitals. Data breaches lead to financial losses for patients and are a major source of stress and anxiety. These adverse effects can be avoided by adhering to cybersecurity best practices and implementing appropriate cybersecurity solutions.
Tackling the issue of cybersecurity in healthcare requires a concerted effort by government and industry, with the government providing guidance and cybersecurity resources, incentives and financial support, and new cybersecurity regulations.
The HHS is planning a carrot-and-stick approach that initially will see voluntary Healthcare and Public Health Sector-specific Cybersecurity Performance Goals (HPH CPGs) established which will set a clear direction for the industry to improve cybersecurity. The HPH CPGs will consist of essential and enhanced goals and guidance will be offered to help healthcare organizations prioritize the implementation of high-impact cybersecurity practices. The enhanced HPH CPGs will encourage healthcare organizations to adopt more advanced cybersecurity practices.
The HHS will work with Congress to obtain new authority and funding to provide financial support for domestic hospital investment in cybersecurity through an upfront investments program. This program will be established to help high-need healthcare providers such as low-resourced hospitals adopt the essential HPH CPGs. There will also be an incentive program to encourage hospitals to adopt the enhanced HPH CPGs. The goal is to ensure that all U.S. hospitals implement the essential HPH CPGs to achieve a baseline standard of cybersecurity.
According to the planning document, “Funding and voluntary goals alone will not drive the cyber-related behavioral change needed across the healthcare sector,” so the HHS will seek additional authorities and resources from Congress to incorporate HPH CGPs into existing regulations and programs and will create enforceable cybersecurity standards. The HHS Centers for Medicare and Medicaid Services (CMS) will propose new cybersecurity requirements for hospitals through Medicare and Medicaid, which will tie federal payments to baseline cybersecurity standards. The HHS will also propose an update to the HIPAA Security Rule – penciled in for Spring 2024 – to include new enforceable cybersecurity requirements.
The HHS will also work with Congress to increase the civil monetary penalties for HIPAA violations and will seek increased resources to conduct more proactive audits to assess HIPAA Security Rule compliance and scale outreach and technical assistance for low-resourced organizations to improve HIPAA compliance. The HHS also plans to expand and mature its one-stop-shop for healthcare sector cybersecurity within the Administration of Strategic Preparedness and Response (ASPR) to more effectively enable industry to access the support and services the Federal Government has to offer.
These efforts are intended to ensure that the cyber resilience of the healthcare sector is improved in the face of the growing threat of cyber incidents, especially for high-risk targets such as hospitals.