December 8, 2023

HHS Publishes Roadmap of New Strategy for Cybersecurity in the Healthcare Sector

+ Follow Contact

Send

Embed

Proskauer - Health Care Law Brief

The U.S. Department of Health and Human Services (HHS) recently issued a strategy paper highlighting key aspects of its plan to revamp cybersecurity requirements in the healthcare industry. Citing a 93% increase in large data breaches in healthcare from 2018 to 2022 and a rapid increase in ransomware attacks against U.S. hospitals, HHS issued the strategy as part of a broad effort to implement the Biden Administration’s National Cybersecurity Strategy. As a part of its strategy, HHS is focusing on four primary goals:

1) Establish voluntary cybersecurity performance goals for the healthcare sector;

2) Provide resources to incentivize and implement these cybersecurity practices;

3) Implement an HHS‑wide strategy to support greater enforcement and accountability; and

4) Expand and mature the one‑stop shop within HHS for cybersecurity.

To achieve these goals, HHS highlights several novel approaches. One notable approach includes implementing an investment‑based incentives program to encourage hospitals to invest in advanced cybersecurity practices that satisfy the newly defined Healthcare and Public Health Sector‑specific Cybersecurity Performance Goals. In addition, HHS’s Office for Civil Rights (OCR) will update the Health Insurance Portability and Accountability Act (HIPAA) Security Rule in the spring of 2024 to include new cybersecurity requirements.

HHS plans to work with Congress to increase the amounts of civil monetary penalties for HIPAA violations and to expand its investigative capabilities in the area. The new strategy will draw on the Administration of Strategic Preparedness and Response (a/k/a, ASPR) to streamline this multi‑tiered HHS effort.

Additionally, we expect OCR to continue to use its existing investigative and enforcement powers to “encourage” the healthcare system to take steps to identify and address cybersecurity vulnerabilities along with proactively and regularly reviewing risks and records, and updating policies. For example, on October 31, 2023, OCR announced a $100,000 settlement with Doctors’ Management Services (DMS), a Massachusetts medical management company. DMS was compromised by a ransomware attack that impacted 206,695 individuals. The DMS resolution was OCR’s first ransomware settlement involving a business associate, and signals more ransomware‑related settlements to come.

[View source.]

Send Print Report

DISCLAIMER: Because of the generality of this update, the information provided herein may not be applicable in all situations and should not be acted upon without specific legal advice based on particular situations.

Written by:

Proskauer - Health Care Law Brief

Contact + Follow

Michael Menconi

+ Follow

Matthew Westbrook

+ Follow

less

Published In:

Cybersecurity

+ Follow

Department of Health and Human Services (HHS)

+ Follow

Health Insurance Portability and Accountability Act (HIPAA)

+ Follow

Healthcare

+ Follow

Healthcare Reform

+ Follow

Hospitals

+ Follow

Legislative Agendas

+ Follow

National Security

+ Follow

New Guidance

+ Follow

OCR

+ Follow

Privacy Laws

+ Follow

Regulatory Agenda

+ Follow

Regulatory Requirements

+ Follow

Health

+ Follow

Privacy

+ Follow

less

Proskauer - Health Care Law Brief on:

HHS Publishes Roadmap of New Strategy for Cybersecurity in the Healthcare Sector

Related Posts

Latest Posts

Written by:

Published In:

Proskauer - Health Care Law Brief on:

"My best business intelligence, in one easy email…"