AHA Raises Concerns Over HHS Cybersecurity Strategy

December 14, 2023 - The American Hospital Association (AHA) expressed dissatisfaction with parts of HHS’ recently released healthcare cybersecurity strategy, which was unveiled in early December. Specifically, the AHA is opposed to HHS’ proposal of using financial penalties against hospitals to enforce cybersecurity requirements.

The newly released strategy consists of a concept paper released by HHS that centers around four actions that the department plans to take in the near future. One of these actions is providing resources to incentivize and implement new sector-specific cybersecurity performance goals (CPGs).

First, HHS plans to establish an upfront investments program to help under-resourced hospitals meet these requirements, followed by an incentives program to encourage implementation.

“HHS will work with Congress to obtain new authority and funding to both administer financial support for domestic hospital investments in cybersecurity and, in the long term, enforce new cybersecurity requirements through the imposition of financial consequences for hospitals,” HHS added.

In response, the AHA expressed concerns about the possibility of penalizing hospitals for not meeting these requirements.

“Responding today to HHS’ ‘Concept Paper’ on strategies for enhancing health care cybersecurity, the AHA welcomes the investment of federal expertise and funding in protecting hospital and health system patients from heinous attacks on critical health care infrastructure,” said Rick Pollack, AHA president and CEO.

“However, this fight is largely against sophisticated foreign-based hackers who often work at the permission of and in collusion with hostile nation states. Defeating these hackers requires the combined expertise and authorities of the federal government.”

Rather than punishing a highly targeted and under-resourced sector for falling victim to cyberattacks, the AHA suggested, HHS should work alongside the hospitals to further support them.

“The AHA cannot support proposals for mandatory cybersecurity requirements being levied on hospitals as if they were at fault for the success of hackers in perpetrating a crime. Many recent cyberattacks against hospitals have originated from third-party technology and other vendors,” Pollack continued.

“No organization, including federal agencies, is or can be immune from cyberattacks. Imposing fines or cutting Medicare payments would diminish hospital resources needed to combat cyber crime and would be counterproductive to our shared goal of preventing cyberattacks.”

Pollack stated that the AHA would continue to work with Congress and federal agencies to develop policies that protect patients, health data, and healthcare organizations from cyber risk.