HHS Makes One-Stop Cybersecurity Shop in ASPR
The agency is working on standards and cyber incident response capabilities to help health care organizations combat ransomware threats.
Ransomware is an escalating problem in health care. So much so that the Department of Health and Human Services is creating a one-stop cybersecurity shop in the Administration for Strategic Preparedness and Response (ASPR) to help health care organizations address cyber challenges and respond to threats or incidents more quickly.
The effort is the fourth pillar within the agency’s recently released cyber plan to boost health care sector resiliency. The three other pillars include publishing new voluntary health care-specific cybersecurity performance goals, working with Congress to develop supports and incentives for domestic hospitals to improve cybersecurity, and increasing accountability and coordination within the health care sector.
If not addressed quickly, ransomware challenges can only escalate further year over year. According to a recent report, victims of ransomware attacks paid over $1.1 billion in 2023 and $570 million in 2022. Not only that, these incidents can impact patient safety.
“Ransomware attacks are particularly concerning because they lock down certain systems within a hospital, for example, and demand payment or a ransom. And when they do so, they can pose an immediate threat to patient health and safety,” said ASPR Office of Preparedness Deputy Director Brian Mazanec. “Imagine going to a hospital or an emergency room and if they can’t use the MRI machine or access your electronic medical records to know you’re allergic to penicillin. … We believe cybersecurity is patient safety. And we’re very focused on that.”
ASPR is working with partners to build stronger cybersecurity practices. This includes harmonizing cybersecurity standards such as HHS’ Public Health Sector Cybersecurity Performance Goals (HPH CPGs) published in January to help health care institutions plan for high-impact cybersecurity practices.
“The HPH CPGs provide layered protection at different points of weakness in an organization’s technology environment, which is crucial to increase cyber resilience and ultimately protect patient safety,” said Mazanec. “Layered defense provides redundancy so if one line of defense is compromised, additional layers exist as a backup to ensure that threats are stopped along the way.”
HPH CPGs fall into two categories: essential goals and enhanced goals. The essential goals are those that are the most basic and achievable. Enhanced goals are for those with more resources to prepare for cyber attacks.
According HHS’ 2023 Hospital Cyber Resiliency Landscape Analysis, 80% of cyberattacks are identity-based. Several essential CPGs, including basic cybersecurity training, email security measures and revoking credentials for departing workforce members, are low-cost, high-yield actions that can protect organizations from identity-based attacks. The more intensive enhanced goals like network segmentation prevent threat actors from moving laterally in an organization after a breach.
ASPR is also working improving its cyber incident response capabilities and resources.
“ASPR will continue to make further enhancements to our incident response capabilities, to include an enhanced incident tracking system that seamlessly integrates data to help ensure HHS is best positioned to make data-informed decisions in a timely manner when dealing with a cyber incident,” said Mazanec. “We also plan to enhance the tools and resources we can bring to the health care sector to support hospitals dealing with a serious cyberattack. “
This is a carousel with manually rotating slides. Use Next and Previous buttons to navigate or jump to a slide with the slide dots
-
DOD Shifts Cyber Workforce Strategy to Prioritize Skills Over Pedigree
Defense officials and experts say that hiring and maintaining cyber talent is critical to national security.
4m read -
HHS Accelerates AI, TEFCA in 2024
Micky Tripathi, tech policy and health IT leader, reflects on progress HHS has made with AI, data and TEFCA and outlines plans for 2025.
-
VA Focuses on Continuous Improvement for 2026 EHR Rollout
VA plans to resume rollout of its EHR in mid-2026, focusing recent feedback to drive continuous improvement amid the presidential transition.
4m read -
Trump's Intelligence Pick Backs Cybersecurity, Tech Accountability
The former congresswoman has called for improving cyber defenses and advocated for accountability in federal tech and data practices.
2m read