Noting that cyber incidents in healthcare are on the rise, the U.S. Department of Health and Human Services has outlined steps it is taking to build cyber resiliency in the healthcare sector, including seeking authority to offer incentive payments to help healthcare organizations improve their cybersecurity practices.
In a new report, HHS said it is establishing voluntary cybersecurity performance goals for the healthcare sector. Currently, healthcare organizations have access to numerous cybersecurity standards and guidance that apply to the sector, which can create confusion regarding which cybersecurity practices to prioritize. HHS, with input from industry, will establish and publish voluntary sector-specific cybersecurity performance goals, setting a clear direction for industry and helping to inform potential future regulatory action from the department.
HHS said the Healthcare and Public Health Sector-specific Cybersecurity Performance Goals (HPH CPGs) would help healthcare institutions prioritize implementation of high-impact cybersecurity practices. HPH CPGs will include both “essential” goals to outline minimum foundational practices for cybersecurity performance and “enhanced” goals to encourage adoption of more advanced practices.
Second, HHS said it would provide resources to incentivize and implement these cybersecurity practices HHS will work with Congress to obtain new authority and funding to both administer financial support for domestic hospital investments in cybersecurity and, in the long term, enforce new cybersecurity requirements through the imposition of financial consequences for hospitals.
HHS envisions the establishment of two programs: an upfront investments program to help high-need healthcare providers, such as low-resourced hospitals, cover the upfront costs associated with implementing “essential” HPH CPGs, and an incentives program to encourage all hospitals to invest in advanced cybersecurity practices to implement “enhanced” HPH CPGs.
Another goal is to implement an HHS-wide strategy to support greater enforcement and accountability.
“Funding and voluntary goals alone will not drive the cyber-related behavioral change needed across the healthcare sector,” the HHS report said. “Given the increased risk profile of hospitals, HHS aspires to have all hospitals meeting sector-specific CPGs in the coming years. With additional authorities and resources, HHS will propose incorporation of HPH CPGs into existing regulations and programs that will inform the creation of new enforceable cybersecurity standards.”
CMS will propose new cybersecurity requirements for hospitals through Medicare and Medicaid, and the HHS Office for Civil Rights will begin an update to the Health Insurance Portability and Accountability Act (HIPAA) Security Rule, in spring of 2024, to include new cybersecurity requirements.
HHS will also continue to work with Congress to increase civil monetary penalties for HIPAA violations and increase resources for HHS to investigate potential HIPAA violations, conduct proactive audits, and scale outreach and technical assistance for low-resourced organizations to improve HIPAA compliance. In the interim, HHS will continue to investigate potential HIPAA violations.
HHS said it would mature its “one-stop shop” cybersecurity support function for the healthcare sector within the Administration of Strategic Preparedness and Response (ASPR) to more effectively enable industry to access the support and services the Federal Government has to offer. The department said a one-stop shop will enhance coordination within HHS and the Federal Government, deepen government’s partnership with industry, increase HHS’s incident response capabilities, and promote greater uptake of government services and resources such as technical assistance, vulnerability scanning, and more.
Taken together, HHS believes these goals, supports, and accountability measures can comprehensively and systematically advance the healthcare sector along the spectrum of cyber resiliency to better meet the growing threat of cyber incidents, especially for high-risk targets such as hospitals.
