On December 6, 2023, the U.S. Department of Health and Human Services (HHS) released a concept paper outlining its new cybersecurity strategy for the health care sector. President Biden has made clear that all Americans deserve the full benefits and potential of our digital future. U.S. government’s approach to improving the nation’s cyber defense and securing our digital infrastructure.
The plan included:
- Establishing cybersecurity regulations to secure critical infrastructure
- Using Federal incentives to build security
- Holding the stewards of data accountable
As America’s healthcare system continues to undergo a digital transformation, government and industry must work together to fulfill the President’s vision to secure our healthcare system and protect patients from cyber threats. This paper provides an overview of HHS’ proposed framework to help the healthcare sector address these cybersecurity threats and protect patients.
HHS will take the following concurrent steps to build on the actions and advance cyber resiliency in the healthcare sector:
- Establish voluntary cybersecurity performance goals for the healthcare sector
- Provide resources to incentivize and implement these cybersecurity practices
- Implement an HHS-wide strategy to support greater enforcement and accountability
- Expand and mature the one-stop shop within HHS for healthcare sector cybersecurity
Establish voluntary cybersecurity goals for the healthcare sector
Currently, healthcare organizations have access to numerous cybersecurity standards and guidance that apply to the sector, which can create confusion regarding which cybersecurity practices to prioritize.
HHS, with input from the industry, will establish and publish voluntary sector-specific cybersecurity performance goals, setting a clear direction for the industry and helping to inform potential future regulatory action from the department.
The Healthcare and Public Health Sector-specific Cybersecurity Performance Goals (HPH CPGs) will help healthcare institutions prioritize the implementation of high-impact cybersecurity practices. HPH CPGs will include both “essential” goals to outline minimum foundational practices for cybersecurity performance and “enhanced” goals to encourage the adoption of more advanced practices.
Download the HPH CPGs here (PDF)
Provide resources to incentivize and implement these cybersecurity practices
HHS will work with Congress to obtain new authority and funding to both administer financial support for domestic hospital investments in cybersecurity and, in the long term, enforce new cybersecurity requirements through the imposition of financial consequences for hospitals. HHS envisions the establishment of two programs:
- An upfront investments program, to help high-need healthcare providers, such as low-resourced hospitals, cover the upfront costs associated with implementing “essential” HPH CPGs, and
- An incentives program to encourage all hospitals to invest in advanced cybersecurity practices to implement “enhanced” HPH CPGs.
Implement an HHS-wide strategy to support greater enforcement and accountability
Funding and voluntary goals alone will not drive the cyber-related behavioral change needed across the healthcare sector. Given the increased risk profile of hospitals, HHS aspires to have all hospitals meeting sector-specific CPGs in the coming years. With additional authorities and resources, HHS will propose the incorporation of HPH CPGs into existing regulations and programs that will inform the creation of new enforceable cybersecurity standards.
HHS is working towards and expects to seek comment on these proposed actions based on the HPH CPGs:
- CMS will propose new cybersecurity requirements for hospitals through Medicare and Medicaid.
- The HHS Office for Civil Rights will begin an update to the Health Insurance Portability and Accountability Act (HIPAA) Security Rule, in the spring of 2024, to include new cybersecurity requirements.
HHS will also continue to work with Congress to increase civil monetary penalties for HIPAA violations and increase resources for HHS to investigate potential HIPAA violations, conduct pro-active audits, and scale outreach and technical assistance for low-resourced organizations to improve HIPAA compliance. In the interim, HHS will continue to investigate potential HIPAA violations.
Expand and mature the one-stop shop within HHS for healthcare sector cybersecurity
HHS will mature its “one-stop shop” cybersecurity support function for the healthcare sector within the Administration of Strategic Preparedness and Response (ASPR) to more effectively enable industry to access the support and services the Federal Government has to offer. A one-stop shop will enhance coordination between HHS and the Federal Government, deepen the government’s partnership with industry, increase HHS’s incident response capabilities, and promote greater uptake of government services and resources such as technical assistance, vulnerability scanning, and more. ASPR has the response expertise and capabilities appropriate for helping the sector navigate and access the array of cybersecurity supports available from HHS and across the Federal Government.
Next Steps
Taken together, HHS believes these goals, supports, and accountability measures can comprehensively and systematically advance the healthcare sector along the spectrum of cyber resiliency to better meet the growing threat of cyber incidents, especially for high-risk targets like hospitals and health systems. Acting on these priorities will protect the privacy of all Americans health information and enable safe access to health care.
If you have any questions or would like to learn more,please visit complianceprosolutions.com.
