The Department of Health and Human Services released a working paper that outlines its strategy to support cybersecurity in healthcare, including proposing hospital cybersecurity requirements through Medicare and Medicaid and beginning to update the HIPAA rule. The paper details steps to improve resilience among healthcare organizations, like establishing voluntary cybersecurity goals for the sector, working with Congress to receive new authority and funding, and adding goals into existing regulations and programs. The strategy comes as healthcare organizations face growing threats of cyberattacks that jeopardize patient safety and privacy.
More on White Paper
HHS’s healthcare cybersecurity strategy consists of four “pillars for action” aimed at strengthening resilience for hospitals, patients, and communities threatened by cyberattacks. The first pillar is establishing voluntary cybersecurity performance goals (CPGs) for the healthcare sector. HHS, in collaboration with industry participants, intends to establish CPGs to aid healthcare institutions in planning and prioritizing implementation of high-impact cybersecurity practices, “setting a clear direction for industry and helping to inform potential future regulatory action from [HHS]”.
Second is providing resources to incentivize implementation of stronger cybersecurity protocols and practices. HHS intends to work with Congress to secure “new authority and funding” to administer financial support and provide incentives for domestic hospitals to invest in advanced cybersecurity practices and prioritize implementation of enhanced cybersecurity goals.
Third is developing new enforceable cybersecurity standards through greater regulatory enforcement and accountability. When additional “authorities and resources” are secured, HHS will seek to incorporate CPGs into existing regulations and programs – such as Medicare and Medicaid and the Health Insurance Portability and Accountability Act (HIPAA) Security Rule – that will ultimately lead to new enforceable cybersecurity standards.
The fourth pillar is to expand and mature HHS’s one-stop shop offerings for healthcare sector cybersecurity. HHS will task the Administration for Strategic Preparedness and Response (ASPR) to expand and mature a “one-stop shop” support service for healthcare cybersecurity. HHS explained that ASPR possesses the “response expertise and capabilities” necessary for assisting the healthcare sector in navigating and accessing the cybersecurity support offerings that HHS makes available.
HHS’s concept paper, along with other recent cybersecurity-related actions undertaken within existing authorities, offer insight into the more active role HHS seeks to play in the cybersecurity space. For example, the concept paper detailed HHS’s role as the Sector Risk Management Agency (SRMA) for the Healthcare and Public Health Sector. As a designated SRMA, HHS is responsible for sharing cyber threat information and intelligence within the healthcare sector, providing technical assistance, guidance, and resources for healthcare sector participants to comply with data security and privacy laws, issuing cybersecurity guidance and threat alerts for medical devices, and publishing healthcare-specific cybersecurity best practices, resources, and guidance.