HHS Unveils Cybersecurity Blueprint Amid Soaring Healthcare Breaches

The Department of Health and Human Services (HHS) recently introduced new cybersecurity initiatives in response to the ongoing growth of cybersecurity breaches impacting the health care ecosystem.

According to the HHS Office for Civil Rights (OCR), there has been a 93% rise in large data breaches between 2018 and 2022, and breaches involving ransomware have experienced a 278% increase. In a six-page paper, the agency outlined four measures to enhance cybersecurity and decrease ongoing risks:

1. Establish voluntary cybersecurity performance goals for the healthcare sector.
2. Provide resources to incentivize and implement these cybersecurity practices.
3. Implement and HHS-wide strategy to support greater enforcement and accountability.
4. Expand and mature the one-stop shop within HHS for health care sector cybersecurity.

Currently, health care organizations have access to cybersecurity guidance, according to HHS, and the abundance of standards can create confusion on what to prioritize. The agency’s first goal is to establish a clear direction for the entire ecosystem, across departments.

“Since entering office, the Biden-Harris Administration has worked to strengthen the nation’s defenses against cyberattacks. The health care sector is particularly vulnerable, and the stakes are especially high. Our commitment to this work reflects that urgency and importance,” HHS Secretary Xavier Becerra said of the concept paper. “HHS is working with health care and public health partners to bolster our cyber security capabilities nationwide.”

To streamline the adoption of best cybersecurity practices, HHS plans to publish the “Healthcare and Public Health Sector-specific Cybersecurity Performance Goals” (HPH CPGs). “(HPH CPGs) will help healthcare institutions prioritize implementation of high-impact cybersecurity practices. HPH CPGs will include both “essential” goals to outline minimum foundational practices for cybersecurity performance and “enhanced” goals to encourage adoption of more advanced practices,” the paper states.

The agency also plans to collaborate with Congress to secure additional funding to support hospital investments in cybersecurity and enforce new cybersecurity requirements. The funding will help establish new programs, including an upfront investments program and an incentives program.

The National Cybersecurity Strategy, released by the Biden Administration in March, concentrates on enhancing federal cybersecurity and encourages agencies to elevate their cybersecurity measures. Cyber culture and stronger threat detection have been identified as areas of improvement in public and private health systems.

“Hospitals across the country have experienced cyberattacks, leading to cancelled medical treatments and stolen medical records. Such impacts are preventable – to keep Americans safe, the Biden-Harris Administration is establishing strong cybersecurity standards for health care organizations and enhancing resources to improve cyber resiliency across the health sector, including working with Congress to provide financial support for hospitals. [The paper] builds on Biden-Harris Administration’s work to operationalize smart cybersecurity practices in our nation’s most critical sectors, like pipelines, aviation, and rail systems,” said Anne Neuberger, Deputy National Security Adviser for Cyber and Emerging Technologies.

Along with additional funding, the agency is prioritizing strengthening accountability across the health ecosystem. “The HHS Office for Civil Rights will begin an update to the Health Insurance Portability and Accountability Act (HIPAA) Security Rule, in spring of 2024, to include new cybersecurity requirements,” the paper states.

The agency plans to “mature its one-stop shop” for cybersecurity support and take partnerships to the next level as they work with the federal government and private entities to meet critical cybersecurity goals.

“Acting on these priorities will protect the health and privacy of all Americans and enable safe access to health care,” the paper states.