HHS Makes One-Stop Cybersecurity Shop in ASPR

Ransomware is an escalating problem in health care. So much so that the Department of Health and Human Services is creating a one-stop cybersecurity shop in the Administration for Strategic Preparedness and Response (ASPR) to help health care organizations address cyber challenges and respond to threats or incidents more quickly.

The effort is the fourth pillar within the agency’s recently released cyber plan to boost health care sector resiliency. The three other pillars include publishing new voluntary health care-specific cybersecurity performance goals, working with Congress to develop supports and incentives for domestic hospitals to improve cybersecurity, and increasing accountability and coordination within the health care sector.

If not addressed quickly, ransomware challenges can only escalate further year over year. According to a recent report, victims of ransomware attacks paid over $1.1 billion in 2023 and $570 million in 2022. Not only that, these incidents can impact patient safety.

“Ransomware attacks are particularly concerning because they lock down certain systems within a hospital, for example, and demand payment or a ransom. And when they do so, they can pose an immediate threat to patient health and safety,” said ASPR Office of Preparedness Deputy Director Brian Mazanec. “Imagine going to a hospital or an emergency room and if they can’t use the MRI machine or access your electronic medical records to know you’re allergic to penicillin. … We believe cybersecurity is patient safety. And we’re very focused on that.”

ASPR is working with partners to build stronger cybersecurity practices. This includes harmonizing cybersecurity standards such as HHS’ Public Health Sector Cybersecurity Performance Goals (HPH CPGs) published in January to help health care institutions plan for high-impact cybersecurity practices.

“The HPH CPGs provide layered protection at different points of weakness in an organization’s technology environment, which is crucial to increase cyber resilience and ultimately protect patient safety,” said Mazanec. “Layered defense provides redundancy so if one line of defense is compromised, additional layers exist as a backup to ensure that threats are stopped along the way.”

HPH CPGs fall into two categories: essential goals and enhanced goals. The essential goals are those that are the most basic and achievable. Enhanced goals are for those with more resources to prepare for cyber attacks.

According HHS’ 2023 Hospital Cyber Resiliency Landscape Analysis, 80% of cyberattacks are identity-based. Several essential CPGs, including basic cybersecurity training, email security measures and revoking credentials for departing workforce members, are low-cost, high-yield actions that can protect organizations from identity-based attacks. The more intensive enhanced goals like network segmentation prevent threat actors from moving laterally in an organization after a breach.

ASPR is also working improving its cyber incident response capabilities and resources.

“ASPR will continue to make further enhancements to our incident response capabilities, to include an enhanced incident tracking system that seamlessly integrates data to help ensure HHS is best positioned to make data-informed decisions in a timely manner when dealing with a cyber incident,” said Mazanec. “We also plan to enhance the tools and resources we can bring to the health care sector to support hospitals dealing with a serious cyberattack. “