HHS Unveils Healthcare Cybersecurity Strategy

December 07, 2023 - HHS released a concept paper outlining the department’s long-awaited healthcare cybersecurity strategy and establishing goals for improving the sector’s cybersecurity posture. The paper builds on President Biden’s National Cybersecurity Strategy, which the administration released in March 2023.

The National Cybersecurity Strategy was divided into five key pillars and focused on shifting cyber defense responsibilities, improving cyber resilience, and disrupting cyber threat operations. The healthcare cybersecurity strategy follows a similar format, consisting of four pillars and focusing on strengthening resilience for hospitals and patients impacted by cyberattacks.

“Hospitals across the country have experienced cyberattacks, leading to cancelled medical treatments and stolen medical records,” Anne Neuberger, deputy national security adviser for cyber and emerging technologies, stated in an HHS press release.  

“Such impacts are preventable – to keep Americans safe, the Biden-Harris Administration is establishing strong cybersecurity standards for health care organizations and enhancing resources to improve cyber resiliency across the health sector, including working with Congress to provide financial support for hospitals.”

The concept paper centers around four actions that HHS plans to take in the near future, the first of which is publishing voluntary healthcare and public health sector cybersecurity performance goals (HPH CPGs).

The Cybersecurity and Infrastructure Security Agency (CISA) maintains its own voluntary CPGs that serve as a benchmark for critical infrastructure entities to measure security maturity. Healthcare-specific CPGs will ideally streamline the numerous cybersecurity standards and guidance available for healthcare entities and clear up confusion about which cybersecurity practices to implement and prioritize.

“The Healthcare and Public Health Sector-specific Cybersecurity Performance Goals (HPH CPGs) will help healthcare institutions prioritize implementation of high-impact cybersecurity practices,” the concept paper stated.

“HPH CPGs will include both ‘essential’ goals to outline minimum foundational practices for cybersecurity performance and ‘enhanced’ goals to encourage adoption of more advanced practices.”

Second, HHS aims to provide resources to actually incentivize and effectively implement these cybersecurity practices by working with Congress to obtain additional funding. In the future, HHS said in the document that it plans to “enforce new cybersecurity requirements through the imposition of financial consequences for hospitals.”

But in the short-term, the department’s goals are to establish an upfront investment program to help under-resourced hospitals cover the costs of implementing the CPGs and to set up an incentives program to encourage investment across the sector.

The third pillar consists of implementing an HHS-wide strategy to foster greater enforcement and accountability by updating established regulations and guidance.

“Funding and voluntary goals alone will not drive the cyber-related behavioral change needed across the healthcare sector,” the concept paper stated.

“Given the increased risk profile of hospitals, HHS aspires to have all hospitals meeting sector-specific CPGs in the coming years. With additional authorities and resources, HHS will propose incorporation of HPH CPGs into existing regulations and programs that will inform the creation of new enforceable cybersecurity standards.”

The department will begin with CMS proposing new cybersecurity requirements for hospitals through Medicare and Medicaid. In addition, the HHS Office for Civil Rights (OCR) plans to release an update to the HIPAA Security Rule in Spring 2024 to include new security requirements.

“HHS will also continue to work with Congress to increase civil monetary penalties for HIPAA violations and increase resources for HHS to investigate potential HIPAA violations, conduct proactive audits, and scale outreach and technical assistance for low-resourced organizations to improve HIPAA compliance. In the interim, HHS will continue to investigate potential HIPAA violations,” HHS continued.

Lastly, the concept paper outlined HHS’ goal for expanding its “one-stop shop” for cybersecurity support in the sector. Within the Administration of Strategic Preparedness and Response (ASPR), HHS plans to enhance coordination between departments, increase its incident response capabilities, and promote an uptake of government resources in the sector.

“Taken together, HHS believes these goals, supports, and accountability measures can comprehensively and systematically advance the healthcare sector along the spectrum of cyber resiliency to better meet the growing threat of cyber incidents, especially for high-risk targets like hospitals,” the paper concluded.
“Acting on these priorities will protect the health and privacy of all Americans and enable safe access to health care.”