Concept paper includes future plans to update the HIPAA Security Rule and establish voluntary cybersecurity performance goals

The U.S. Department of Health and Human Services ("HHS") issued a concept paper describing its overarching strategy to address healthcare cybersecurity. The concept paper builds on the Biden-Harris Administration's National Cybersecurity Strategy, which was released in March 2023.

HHS's healthcare cybersecurity strategy consists of four "pillars for action" aimed at strengthening resilience for hospitals, patients, and communities threatened by cyberattacks. The action items contained within each of the four pillars include the following:

• Establish Voluntary Cybersecurity Performance Goals (CPGs) for the Healthcare Sector. HHS, in collaboration with industry participants, intends to establish CPGs to aid healthcare institutions in planning and prioritizing implementation of high-impact cybersecurity practices, "setting a clear direction for industry and helping to inform potential future regulatory action from [HHS]";
• Provide Resources to Incentivize Implementation of Stronger Cybersecurity Protocols and Practices. HHS intends to work with Congress to secure "new authority and funding" to administer financial support and provide incentives for domestic hospitals to invest in advanced cybersecurity practices and prioritize implementation of enhanced cybersecurity goals;
• Develop New Enforceable Cybersecurity Standards Through Greater Regulatory Enforcement and Accountability. When additional "authorities and resources" are secured, HHS will seek to incorporate CPGs into existing regulations and programs – such as Medicare and Medicaid and the Health Insurance Portability and Accountability Act (HIPAA) Security Rule – that will ultimately lead to new enforceable cybersecurity standards; and
• Expand and mature HHS's one-stop shop offerings for healthcare sector cybersecurity. HHS will task the Administration for Strategic Preparedness and Response (ASPR) to expand and mature a "one-stop shop" support service for healthcare cybersecurity.

Let's take a look at each pillar in more depth.

Pillar One: Establish Healthcare-Specific Cybersecurity Performance Goals

The first pillar addresses developing a set of voluntary CPGs tailored to the healthcare sector. The development of CPGs appears to be modeled after the voluntary CPGs set forth by the Cybersecurity and Infrastructure Security Agency (CISA), which currently serve as a benchmark for critical infrastructure entities to measure security maturity.

The objective of CPGs within the healthcare sector would be to streamline the array of cybersecurity standards and guidance available to healthcare entities and delineate which cybersecurity practices should be prioritized and implemented. The CPGs, as described in the concept paper, would include "essential" goals that set forth minimum foundational practices for cybersecurity performance, along with "enhanced" goals intended to encourage adoption of more advanced practices.

Pillar Two: Incentivize the Implementation of Stronger Cybersecurity Practices

The second pillar in HHS's concept paper details how it would provide resources to help "incentivize" hospitals and other actors in the healthcare sector to adopt and implement stronger cybersecurity practices, including:

• An upfront investments program designed to assist high-need healthcare providers (e.g., low-resourced hospitals) with covering the upfront expense associated with implementing "essential" CPGs; and
• An incentives program designed to encourage all hospitals to make investments in advanced cybersecurity practices and to implement "enhanced" CPGs.

Regarding how HHS would pay for additional "resources," the concept paper is vague and only mentions "working with Congress" to obtain additional funding. The other incentive mechanism identified in the concept paper is "the imposition of financial consequences for hospitals." It is likely that HHS will use existing enforcement levers such as the Centers for Medicare & Medicaid Services (CMS) Merit-based Incentive Payment System (MIPS) for eligible clinicians, and the Medicare Promoting Interoperability Program, which requires eligible hospitals and critical access hospitals to adopt, implement, upgrade, and demonstrate meaningful use of certified electronic health record technology (CEHRT) and can result in significant reductions in reimbursement for noncompliance. HHS has also proposed to use these mechanisms to enforce the 21st Century Cures Act Information Blocking Rule, meaning that more and more acts or omissions may lead to failing to qualify as a "meaningful user" of CEHRT and the accompanying reduction in Medicare reimbursement.

Pillar Three: Enhanced "Enforcement and Accountability" Measures by HHS

The third pillar in HHS's concept paper describes the implementation of greater enforcement and accountability measures, including updates to established regulations and guidance. HHS identified proposing new cybersecurity requirements for hospitals through Medicare and Medicaid. In addition, the HHS Office for Civil Rights (OCR) is planning to release an update to the HIPAA Security Rule in Spring 2024 that would feature new cybersecurity requirements and compliance obligations. This would mark the first significant change to the Security Rule requirements since they were finalized over twenty years ago.

Notably, the concept paper stated that HHS intends to work with Congress to "increase civil monetary penalties for HIPAA violations" in addition to new funding for HHS to conduct "proactive audits" and investigations into potential HIPAA violations. The potential increase in civil monetary penalty amounts likely is a reaction to the decision in University of Texas M.D. Anderson Cancer Center v. HHS, where the Fifth Circuit in 2021 held that HHS's implementation of the Health Information Technology for Economic and Clinical Health (HITECH) Act's penalty structure was inconsistent with the statutory language and, therefore, covered entities and business associates were subject to lower annual year caps on civil monetary penalties than those set forth in the HIPAA regulations.

Pillar Four: Develop and Expand "One-Stop Shop" Cybersecurity Support Offerings to Healthcare Sector

The fourth pillar in HHS's concept paper describes its objective to mature its "one-stop shop" for cybersecurity support in the healthcare sector via the ASPR. HHS explained that ASPR possesses the "response expertise and capabilities" necessary for assisting the healthcare sector in navigating and accessing the cybersecurity support offerings that HHS makes available.

The steps HHS lays out for expanding and maturing its one-stop shop would include:

• Enhancing coordination within HHS and across the Federal Government;
• Partnering with industry;
• Increasing HHS's incident response capabilities; and
• Promoting greater utilization of technical assistance, vulnerability scanning, and other tools.

Looking Ahead

HHS's concept paper, along with a litany of recent cybersecurity-related actions undertaken within existing authorities,[1] offer insight into the more active role HHS seeks to play in the cybersecurity space. For example, the concept paper detailed HHS's role as the Sector Risk Management Agency (SRMA) for the Healthcare and Public Health Sector, pursuant to the Homeland Security Act of 2002, as amended, and Presidential Policy Directive 21. As a designated SRMA, HHS is responsible for sharing cyber threat information and intelligence within the healthcare sector, providing technical assistance, guidance, and resources for healthcare sector participants to comply with data security and privacy laws, issuing cybersecurity guidance and threat alerts for medical devices, and publishing healthcare-specific cybersecurity best practices, resources, and guidance.

HHS's recent enforcement actions further illustrate the more aggressive posture it intends to take when it comes to cybersecurity compliance. For example, on October 31, 2023, HHS announced its first ransomware settlement involving a business associate. Specifically, OCR and Doctors' Management Services (DMS), a Massachusetts medical management company, agreed to a $100,000 settlement to resolve potential HIPAA violations stemming from a ransomware attack. OCR opened an investigation on a breach report from DMS in April 2019 which impacted more than 200,000 individuals. Based on its investigation, OCR alleged that DMS failed to conduct a risk analysis that properly assessed the potential risks and vulnerabilities associated with handling electronic protected health information across its organization. In addition, OCR alleged DMS did not implement procedures for regularly reviewing records of information system activity such as audit logs, access reports, and security incident tracking reports and failed to implement policies and procedures necessary to comply with the HIPAA Security Rule.

OCR's enforcement action against DMS is an indication that additional ransomware‑related settlements could be pursued in an effort by HHS to "encourage" participants in the healthcare sector to identify and address cybersecurity vulnerabilities.

Covered entities and business associates should consider taking proactive steps to strengthen their compliance posture in light of HHS's renewed emphasis on cybersecurity, including regularly conducting periodic risk assessments, updating relevant organizational policies and implementing appropriate controls to secure health information.

[1] HHS updated voluntary healthcare-specific cybersecurity guidance and the U.S. Food and Drug Administration issued guidance for medical device manufacturers outlining pre-market cybersecurity recommendations and requirements for all new medical devices.

[View source.]