On Dec. 6, the Department of Health and Human Services (HHS or the Department) released what it is calling a “concept paper” on its role in cybersecurity for the healthcare sector (the HHS paper).[1] The HHS paper is sweeping in scope, laying out an ambitious vision of future action by the Department designed to address its view of the current state of healthcare cybersecurity. Below, we highlight some of the key takeaways for healthcare sector entities looking to manage security and compliance risk with a forward-looking perspective.
HHS sets the table for its industry approach against the backdrop of the larger healthcare cybersecurity landscape. Citing data from its Office for Civil Rights (OCR), which carries out Health Insurance Portability and Accountability Act (HIPAA) enforcement, HHS notes a 93 percent increase in “large breaches” reported between 2018 and 2022 – including a 278 percent increase in the number of such breaches involving ransomware.[2] The OCR still categorizes a “large breach” as one involving more than 500 individuals, although in reality, multimillion person breaches are becoming increasingly common—in 2023 alone, the BakerHostetler team routinely advised clients on breaches involving over one million patients. These rising numbers, HHS suggests, evidence an increasingly dangerous threat landscape fraught with the potential physical impacts of healthcare security incidents, i.e., disruptions to patient care.
The Department’s Four-Pronged Strategic Vision
In the HHS paper, HHS announces its intention to address the darkening skies of healthcare cybersecurity risk with a four-pronged approach involving: 1) voluntary industry cybersecurity performance goals; 2) resources to support the implementation of practices that will help accomplish these goals; 3) greater enforcement and accountability; and 4) consolidating government industry support resources to increase their effectiveness.[3] Below, we review each of these prongs and what they could mean for healthcare cybersecurity compliance in 2024.
1. “Voluntary” Cybersecurity Goals
HHS believes that “access to numerous cybersecurity standards and guidance that apply to the [healthcare] sector” can cause confusion about how to prioritize cybersecurity practices. The Department indicates that it will clear up this perceived confusion by publishing still more standards and guidance, in the form of “voluntary sector-specific cybersecurity performance goals,” which will trump the multiverse of existing sectoral standards and guidance. These new performance goals, called the “Healthcare and Public Health Sector-specific Cybersecurity Performance Goals” (HPH CPGs), are promised to provide not only “clear direction” for the industry but also help in “inform[ing] potential future regulatory action from the Department.” The HPH CPGs will include “essential” or “minimum foundational” practices as well as “enhanced” or more advanced practices.
The HPH CPG concept, as described by the HHS paper, may raise questions about the future of the 405(d) Task Force’s “recognized security practices.” These standards and guidance were recently updated in 2023 and are supported with hundreds of pages of guidance[4] addressing tiered healthcare cybersecurity practices, from basic to advanced, as aligned with small, medium, and large organizations. Recognized security practices are a routine subject of interest in OCR investigations following a reported security incident, and evidencing adherence to these practices is a way for entities subject to HIPAA to mitigate penalties resulting from enforcement activity. Accordingly, many entities with HIPAA security compliance requirements have used the 405(d)[5] practices to organize and evaluate the key elements of their cybersecurity programs.[6]
Yet to be determined is how the application, interpretation and enforcement of the HPH CPGs will differ from those of the 405(d) and other existing frameworks for healthcare cybersecurity. It would be useful for the HPH CPGs to include mappings to the existing cybersecurity practice frameworks. Organizations that designed security programs in alignment with these frameworks could then easily transition to the HPH CPGs. Cybersecurity practices must always be evolving to adapt to this dynamic threat environment, and a new articulation of industry standards should not require significant changes for organizations already working to align security practices with existing guidance – especially considering that HHS issued the HPH CPGs to clarify existing guidance and facilitate prioritization of known security objectives rather than to create a revolutionary new approach to cybersecurity.
More concern may be warranted regarding the role of HPH CPGs in future regulatory action. In the HHS paper, the Department states that HPH CPGs are intended to help “inform potential future regulatory action from the Department.” However, HHS does not elaborate further, which raises the following question: Will findings of noncompliance with the HIPAA Security Rule result in higher penalties when an organization does not adhere to HPH CPGs? In other words, is this truly voluntary?
2. Provision of Support Resources for Implementation of HPH CPGs
In its brief description of this strategic prong, which is specifically targeted at hospitals, the Department confirms that while there are carrots in its approach to cybersecurity, there will also be sticks. As far as carrots, HHS says it will work with Congress to help “high-need healthcare providers, such as low-resourced hospitals,” obtain funding to cover “upfront costs” involved with implementing HPH CPGs. This may sound beneficent; however, investment is to be “encourage[d]” through “incentives” such as “imposition of financial consequences for hospitals.”[7] The nature of such consequences and criteria for their application are left to the imagination, which is perhaps designed to encourage immediate attention to cybersecurity improvements without awaiting future HHS publications.
3. Greater Enforcement and Accountability
Ultimately, we learn that while the HHS paper promises an industry approach that involves “voluntary” goals, where the Department will “provide resources” and “support” to the healthcare sector for cybersecurity, HHS has decided that such measures are insufficient without enforcement and penalties. The “voluntary” goals will not be voluntary for long, as HHS intends to “propose incorporation of HPH CPGs into existing regulations and programs,” including “new cybersecurity requirements for hospitals through Medicare and Medicaid.”[8]
If you stopped reading toward the end of the HHS paper, you would miss the big-ticket item: the OCR “will begin an update to the [HIPAA] Security Rule, in spring of 2024, to include new cybersecurity requirements.”[9] The overarching significance of this prong of the HHS strategic plan is perhaps self-evident, but for those who may be thinking that major legislative change of this nature is a slow process and there is plenty of time to improve their security and compliance posture in anticipation of legal requirements incorporating higher security standards, the Department vows ramped-up enforcement in the meantime. HHS will “increase civil monetary penalties” for violations and “increase resources” for compliance investigations and proactive audits. For good measure, and to dispel any misapprehension that these kinds of increases will also take time, the Department expounds that while it is working to secure these increases, “[i]n the interim, HHS will continue to investigate potential HIPAA violations.”[10]
4. “One Stop” for Healthcare Cybersecurity Support
In this prong of the HHS paper, the Department returns to an initiative with the stated intent to “deepen government’s partnership” with the sector by consolidating cybersecurity support and services in the Administration for Strategic Preparedness and Response. In the context of the HHS paper, it would be hard not to view this final prong as anticlimactic, given the dramatic structural lead-up, which moves from introducing “voluntary goals” to provisioning “support” and “resources” tied to “financial consequences” into a full-scale focus on enacting new cybersecurity requirements, in-depth investigations, and increasing enforcement activities.[11]
What’s Next?
Based on the HHS paper and observed trends in practice, HHS is going to be very busy on the legislative and enforcement fronts in 2024. HIPAA-covered entities and business associates should anticipate that cybersecurity regulatory compliance is getting harder and will require greater investment and the consequences for insufficient resourcing and attention will continue to increase risk. Any organization subject to HIPAA compliance requirements should evaluate their cybersecurity compliance program accordingly and consider an updated security risk analysis a critical goal for 2024.
[1] HHS announces next steps in ongoing work to enhance cybersecurity for health care and public health sectors - HHS.gov, https://www.hhs.gov/about/news/2023/12/06/hhs-announces-next-steps-ongoing-work-enhance-cybersecurity-health-care-public-health-sectors.html (last visited Dec. 19, 2023).
[2] Id.
[3] Id.
[4] HHS 405(D) Cybersecurity education platform HHS 405(d), https://405d.hhs.gov/knowledgeondemand (last visited Dec. 19, 2023).
[5] Landscape Analysis - hhs.gov, https://405d.hhs.gov/Documents/405d-hospital-resiliency-analysis.pdf (last visited Dec. 19, 2023).
[6] OCR releases YouTube video addressing “Recognized security practices” in Hipaa Enforcement Context - Data Counsel, https://www.bakerdatacounsel.com/blogs/ocr-releases-youtube-addressing-recognized-security-practices-in-hipaa-enforcement-context/ (last visited Dec. 19, 2023).
[7] Healthcare sector cybersecurity - ASPR, https://aspr.hhs.gov/cyber/Documents/Health-Care-Sector-Cybersecurity-Dec2023-508.pdf (last visited Dec. 19, 2023).
[8] Id.at 3.
[9] Id. at 3.
[10] Id.at 3.
[11] Healthcare sector cybersecurity - ASPR, https://aspr.hhs.gov/cyber/Documents/Health-Care-Sector-Cybersecurity-Dec2023-508.pdf (last visited Dec. 19, 2023).
[View source.]
