On December 6, 2023, the Department of Health and Human Services (HHS) issued a concept paper detailing its plans for cybersecurity requirements for the healthcare sector. Acknowledging that the healthcare sector is particularly vulnerable to cybersecurity risks and the stakes for patient care and safety are particularly high, healthcare facilities are attractive targets for cyber criminals. Data collected by the government shows a 93% increase in large breaches reported from 2018 to 2022 (369 to 712), with a 278% increase in large breaches reported involving ransomware from 2018 to 2022.
A part of the National Cybersecurity Strategy, released March 1, 2023, the strategy paper provides an overview of HHS’ proposed framework to help the healthcare sector address heightened and extensive cybersecurity threats. HHS announced that it will take the following concurrent steps to advance cyber resiliency in the healthcare industry:
1) Establish voluntary cybersecurity performance goals for the healthcare sector
2) Provide resources to incentivize and implement these cybersecurity practices
3) Implement an HHS-wide strategy to support greater enforcement and accountability
4) Expand and mature the one-stop shop within HHS for healthcare sector cybersecurity
Establish voluntary cybersecurity goals for the healthcare sector. Currently, healthcare organizations have to consult numerous cybersecurity standards and guidance that apply to the sector in order to determine best practices and recommended protocols; this plethora of guidance often creates confusion regarding which cybersecurity practices to prioritize. HHS, with input from industry, will establish and publish voluntary sector-specific cybersecurity performance goals, setting a clear direction for industry. Although the goals will be voluntary, these goals will also serve as a basis for future regulatory changes. The newly-created Healthcare and Public Health Sector-specific Cybersecurity Performance Goals (HPH CPGs) will include both “essential” goals to outline minimum protocols for cybersecurity performance and “enhanced” goals to encourage adoption of more advanced practices.
Provide resources to incentivize and implement these cybersecurity practices. HHS will work with Congress to obtain new authority and funding both to administer financial support for hospitals' investments in cybersecurity and, in the long term, to enforce new cybersecurity requirements through the imposition of financial consequences for hospitals. HHS envisions the establishment of two programs that relate to the developed HPH CPGs: an upfront investments program to help less-resourced hospitals cover the upfront costs associated with implementing “essential” HPH CPGs and an incentives program to encourage all hospitals to invest in advanced cybersecurity practices to implement “enhanced” HPH CPGs.
Implement an HHS-wide strategy to support greater enforcement and accountability. HHS acknowledges that funding and voluntary goals alone will not create the change needed across the healthcare industry. With additional authorities and resources, HHS will propose incorporation of HPH CPGs into existing regulations and programs that will inform the creation of new enforceable cybersecurity standards. Perhaps most importantly, CMS will propose new cybersecurity requirements for hospitals through Medicare and Medicaid, and beginning in the Spring of 2024, the HHS Office for Civil Rights will begin an update to the Health Insurance Portability and Accountability Act (HIPAA) Security Rule to include new cybersecurity requirements. HHS also announced an expectation that civil monetary penalties for HIPAA violations will increase.
Expand and mature the one-stop shop within HHS for healthcare sector cybersecurity. HHS will put resources into developing what it calls its “one-stop shop” cybersecurity support function for the healthcare sector within the Administration of Strategic Preparedness and Response (ASPR) to more effectively enable industry to access the support and services the Federal Government has to offer. The goal is to enhance coordination within HHS and the Federal Government, especially with respect to incident response.
These initiatives announced in the strategy paper come at a time when some of the HIPAA requirements felt stagnant and, in some instances, dated. We will monitor development of these initiatives in 2024. If you have questions regarding this announcement or other questions pertaining to HIPAA, please call the Maynard Nexsen Health Care team.
