On December 6, 2023, HHS released a concept paper that outlines the Department’s cybersecurity strategy for the healthcare sector titled, “Healthcare Sector Cybersecurity Strategy.” HHS reports that cyber incidents in healthcare are on the rise with a 93% increase in large data breaches reported from 2018 to 2022 (rising from 369 to 712) and a 278% increase in large breaches involving ransomware. Cyber incidents affecting healthcare providers can cause significant care disruptions that put patients’ safety at risk. The strategy paper identified four new steps that HHS will take to build on its existing cybersecurity activities in the healthcare sector: 1) establishing voluntary cybersecurity performance goals for the healthcare sector; 2) providing resources to incentivize and implement these cybersecurity practices; 3) implementing an HHS-wide strategy to support greater enforcement and accountability; and 4) expanding and maturing the one-stop shop within HHS for healthcare sector cybersecurity.

This year HHS conducted the 2023 Hospital Cyber Resiliency Landscape Analysis to examine hospitals’ current state of cyber security performance and needs. As a result of that analysis, HHS took action to update its voluntary healthcare-specific cybersecurity guidance and released free healthcare-specific cybersecurity trainings geared toward providing help with basic cybersecurity practices to small and medium-sized healthcare facilities. Currently, the HHS cyber security strategy includes the following activities:

• Sharing cyber threat information and intelligence with the sector to mitigate risk from prominent and emerging threats;
• Providing the sector with technical assistance, guidance, and resources to comply with data security and privacy laws;
• Issuing cybersecurity guidance and threat alerts for medical devices; and
• Publishing healthcare-specific cybersecurity best practices, resources, and guidance.

The recent HHS strategy paper identified four new concurrent steps that HHS will take to build on its existing cybersecurity activities in the healthcare sector. First, HHS will establish voluntary cybersecurity performance goals for the healthcare sector. These performance goals are designed to help healthcare institutions prioritize implementation of high-impact cybersecurity practices and will include both “essential” goals to outline minimum foundational practices for cybersecurity performance as well as “enhanced” goals to encourage healthcare providers to adopt more advanced practices.

Second, HHS will seek new authority and resources to incentivize and implement these cybersecurity practices as well as enforce new requirements through financial consequences. HHS wants to create two new programs—the first, an investments program, to help high-need healthcare providers cover the upfront costs associated with implementing “essential” cybersecurity performance goals, and the second, an incentives program to encourage all hospitals to invest in advanced cybersecurity practices to implement the “enhanced” cybersecurity performance goals.

Third, HHS will seek to implement an HHS-wide strategy to support greater enforcement and accountability so that all hospitals meet cybersecurity performance goals. HHS will propose incorporating these goals into existing regulations and programs. HHS will propose new cybersecurity requirements for hospitals through Medicare and Medicaid, and the HHS Office for Civil Rights will begin an update to the Health Insurance Portability and Accountability Act (HIPAA) Security Rule, in spring of 2024, to include new cybersecurity requirements. HHS will seek authority and funding from Congress to investigate potential HIPAA violations, conduct proactive audits, and increase civil monetary penalties for HIPAA violations.

Fourth, HHS plans to expand and mature the one-stop shop within HHS for healthcare sector cybersecurity through its Administration of Strategic Preparedness and Response (ASPR). HHS hopes to have ASPR promote a greater uptake of government services and resources such as technical assistance and vulnerability scanning.

The full text of the Healthcare Sector Cybersecurity Strategy paper is available here.