US Dept of Health and Human Services publishes concept paper on healthcare cybersecurity

The US Department of Health and Human Services (HHS) has published a concept paper detailing its cybersecurity strategy for the healthcare sector, outlining improvements including health sector-specific cybersecurity goals, the incentivising of cybersecurity practices, greater enforcement and accountability, and the expansion of HSS’s “one-stop shop” for cybersecurity support.

Based on findings from the 2023 Hospital Cyber Resiliency Landscape Analysis, HHS “took immediate action to fully execute its cybersecurity mission within existing authorities and resources”, updating existing guidance, releasing free healthcare-specific cybersecurity training, and taking steps to maximise its sector support.

The concept paper highlights four “next steps” for “comprehensively and systematically” advancing cyber resiliency in the healthcare sector. The first focuses on establishing voluntary cybersecurity goals for healthcare organisations, including both “essential” goals for minimum foundations and “enhanced” goals to encourage the adoption of more advanced practices.

The second step looks to the HHS’s plans to establish an upfront investments program to help hospitals cover the costs of essential cybersecurity goals, as well as a program to incentivise investment in the more advanced goals. The HHS will work with Congress to obtain “new authority and funding” to administer this kind of financial support.

The third step is the implementation of an HHS-wide strategy to support enforcement and accountability, proposing “incorporation of HPH CPGs into existing regulations and programs that will inform the creation of new enforceable cybersecurity standards”. This will include working to propose new cybersecurity requirements through Medicare and Medicaid, and updating the Health Insurance Portability and Accountability Act (HIPAA) Security Rule, in spring of 2024, to include new cybersecurity requirements.

Finally, the paper proposes the final step of expanding and maturing the HHS’s “one-stop shop cybersecurity support function”, to help promote access to available support and services from the Federal Government. It suggests that this will encourage uptake of government services and resources such as technical assistance and vulnerability scanning.

Rick Pollack, CEO and president of the AHA, said: “Responding today to HHS’ ‘Concept Paper’ on strategies for enhancing health care cybersecurity, the AHA welcomes the investment of federal expertise and funding in protecting hospital and health system patients from heinous attacks on critical health care infrastructure. However, this fight is largely against sophisticated foreign-based hackers who often work at the permission of and in collusion with hostile nation states. Defeating these hackers requires the combined expertise and authorities of the federal government. The AHA cannot support proposals for mandatory cybersecurity requirements being levied on hospitals as if they were at fault for the success of hackers in perpetrating a crime. Many recent cyberattacks against hospitals have originated from third-party technology and other vendors. No organization, including federal agencies, is or can be immune from cyberattacks. Imposing fines or cutting Medicare payments would diminish hospital resources needed to combat cyber crime and would be counterproductive to our shared goal of preventing cyberattacks.”

To read the concept paper in full, please click here.

Also on cybersecurity in the US, Kathy Hochul, Governor of New York State, has announced statewide proposed cybersecurity regulations for hospitals, to help “safeguard health care systems from growing cyber threats”. The announcement follows warnings from the US Department of the Treasury, the FBI, and the Cybersecurity and Infrastructure Security Agency, that hospitals are a target for cyberattacks.

Explore HTN Interviews