The Department of Health and Human Services (HHS) has released a concept paper that outlines the department’s cybersecurity strategy for the healthcare sector, detailing four key actions it will take to advance cyber resiliency in the sector.
HHS issued the concept paper on Dec. 6, noting that it builds on the Biden administration’s National Cybersecurity Strategy and serves as an “introduction” to the department’s own cybersecurity strategy.
“Since entering office, the Biden-Harris administration has worked to strengthen the nation’s defenses against cyberattacks. The healthcare sector is particularly vulnerable, and the stakes are especially high. Our commitment to this work reflects that urgency and importance,” HHS Secretary Xavier Becerra said in a press release.
“HHS is working with health care and public health partners to bolster our cybersecurity capabilities nationwide. We are taking necessary actions that will make a big difference for the hospitals, patients, and communities who are being impacted,” Becerra added.
According to the concept paper, HHS has found a 93 percent increase in large breaches reported to the HHS Office for Civil Rights (OCR) from 2018 to 2022 – with a 278 percent increase in large breaches involving ransomware.
The department is looking to drive down the number of cyber breaches by taking the following four concurrent steps:
- Establish voluntary cybersecurity performance goals for the healthcare sector;
- Provide resources to incentivize and implement these cybersecurity practices;
- Implement an HHS-wide strategy to support greater enforcement and accountability; and
- Expand and mature the one-stop shop within HHS – the Administration for Strategic Preparedness and Response – for healthcare sector cybersecurity.
As it works towards a department-wide cybersecurity strategy, HHS said that the Centers for Medicare & Medicaid Services (CMS) will propose new cybersecurity requirements for hospitals through Medicare and Medicaid.
Additionally, the HHS OCR will begin an update to the Health Insurance Portability and Accountability Act (HIPAA) Security Rule, in the spring of 2024, to include new cybersecurity requirements.
Taken together, HHS hopes these steps can help the healthcare sector to better protect itself against the growing number of cyber incidents, especially for high-risk targets such as hospitals.
“The healthcare sector is experiencing a significant rise in cyberattacks, putting patient safety at risk. These attacks expose vulnerabilities in our health care system, degrade patient trust, and ultimately endanger patient safety,” said HHS Deputy Secretary Andrea Palm. “HHS takes these threats very seriously, and we are taking steps that will ensure our hospitals, patients, and communities impacted by cyberattacks are better prepared and more secure.”