New HHS concept paper outlines cybersecurity strategy for healthcare sector

The U.S. Department of Health and Human Services (HHS) published Wednesday a concept paper that outlines its cybersecurity strategy for the healthcare sector, highlighting ongoing and planned steps to improve cyber resiliency and protect patient safety. The concept paper builds on the National Cybersecurity Strategy released by President Joe Biden, focusing on strengthening resilience for hospitals, patients, and communities threatened by cyber-attacks. 

The paper details four pillars for action, including publishing new voluntary healthcare-specific cybersecurity performance goals, working with Congress to develop support and incentives for domestic hospitals to improve cybersecurity, and increasing accountability and coordination within the healthcare sector.

The concept paper said that the HHS will establish voluntary healthcare and public health (HPH) sector Cybersecurity Performance Goals (CPGs) to help healthcare institutions plan and prioritize implementation of high-impact cybersecurity practices. It will also work with Congress to provide resources to incentivize and implement cybersecurity practices and obtain new authority and funding to administer financial support and incentives for domestic hospitals to implement high-impact cybersecurity practices.

The agency will also implement an HHS-wide strategy to support greater enforcement and accountability. It will propose new enforceable cybersecurity standards, informed by the HPH CPGs incorporated into existing programs, including Medicare and Medicaid and the HIPAA Security Rule. 

Additionally, the concept paper aims to enhance and develop the one-stop shop for healthcare sector cybersecurity within the HHS, involving strengthening the coordination role of the Administration for Strategic Preparedness and Response (ASPR) as a central hub for healthcare cybersecurity. The objective is to improve coordination between HHS and the federal government, foster stronger partnerships between HHS, the federal government, and industry stakeholders, enhance accessibility to government support and services, and bolster HHS’s incident response capabilities.

“Since entering office, the Biden-Harris Administration has worked to strengthen the nation’s defenses against cyberattacks. The healthcare sector is particularly vulnerable, and the stakes are especially high. Our commitment to this work reflects that urgency and importance,” Xavier Becerra, HHS Secretary said in a media statement. “HHS is working with healthcare and public health partners to bolster our cyber security capabilities nationwide. We are taking necessary actions that will make a big difference for the hospitals, patients, and communities who are being impacted.”

“Hospitals across the country have experienced cyberattacks, leading to canceled medical treatments and stolen medical records,” said Anne Neuberger, deputy national security adviser for cyber and emerging technologies. “Such impacts are preventable – to keep Americans safe, the Biden-Harris administration is establishing strong cybersecurity standards for healthcare organizations and enhancing resources to improve cyber resiliency across the health sector, including working with Congress to provide financial support for hospitals.”

Neuberger added that the latest announcement by HHS builds on the administration’s work to operationalize smart cybersecurity practices in the nation’s most critical sectors, like pipelines, aviation, and rail systems.

“The healthcare sector is experiencing a significant rise in cyberattacks, putting patient safety at risk. These attacks expose vulnerabilities in our healthcare system, degrade patient trust, and ultimately endanger patient safety,” said Andrea Palm, HHS deputy secretary. “HHS takes these threats very seriously, and we are taking steps that will ensure our hospitals, patients, and communities impacted by cyberattacks are better prepared and more secure.”

Addressing the establishment of voluntary cybersecurity goals for the healthcare sector, the HHS concept paper detailed that healthcare organizations currently have access to numerous cybersecurity standards and guidance that apply to the sector. This can create confusion regarding which cybersecurity practices to prioritize. 

“HHS, with input from industry, will establish and publish voluntary sector-specific cybersecurity performance goals, setting a clear direction for industry and helping to inform potential future regulatory action from the Department,” the concept paper detailed. “The Healthcare and Public Health Sector-specific Cybersecurity Performance Goals (HPH CPGs) will help healthcare institutions prioritize implementation of high-impact cybersecurity practices. HPH CPGs will include both ‘essential’ goals to outline minimum foundational practices for cybersecurity performance and ‘enhanced’ goals to encourage adoption of more advanced practices.”

The HHS will work with Congress to obtain new authority and funding to both administer financial support for domestic hospital investments in cybersecurity and, in the long term, enforce new cybersecurity requirements through the imposition of financial consequences for hospitals. 

Moreover, HHS envisions the establishment of two programs – an upfront investments program, to help high-need healthcare providers, such as low-resourced hospitals, cover the upfront costs associated with implementing ‘essential’ HPH CPGs, and an incentives program to encourage all hospitals to invest in advanced cybersecurity practices to implement ‘enhanced’ HPH CPGs.

Recognizing that funding and voluntary goals alone will not drive the cyber-related behavioral change needed across the healthcare sector. The HHS is working towards and expects to seek comment on two proposed actions based on the HPH CPGs. The Centers for Medicare & Medicaid Services (CMS) will propose new cybersecurity requirements for hospitals through Medicare and Medicaid. The HHS Office for Civil Rights will begin an update to the Health Insurance Portability and Accountability Act (HIPAA) Security Rule, in the spring of 2024, to include new cybersecurity requirements. 

The HHS is working to enhance its cybersecurity support function for the healthcare sector by establishing a comprehensive ‘one-stop shop’ within the Administration of Strategic Preparedness and Response (ASPR). This initiative aims to facilitate industry access to the wide range of support and services offered by the federal government. By implementing a one-stop shop, coordination between HHS and the federal government will be improved, fostering stronger partnerships with industry. 

Additionally, this will enhance HHS’s incident response capabilities and encourage greater utilization of government services and resources, including technical assistance and vulnerability scanning. ASPR possesses the necessary expertise and capabilities to assist the sector in navigating and accessing the various cybersecurity supports available from HHS and across the federal government.

In conclusion, when considering the goals, supports, and accountability measures, HHS firmly believes that they can effectively and holistically enhance the healthcare sector’s cyber resiliency. This will enable the sector to combat the increasing threat of cyber incidents, particularly for high-risk targets such as hospitals. By taking action on these priorities, the sector can safeguard the health and privacy of all Americans and ensure secure access to healthcare services.

In October, the Cybersecurity and Infrastructure Security Agency (CISA) and HHS in response to the increasing cybersecurity threats faced by the HPH sector led the charge in fighting against cyber attacks. They introduced a specialized cybersecurity healthcare toolkit that includes resources devised for the sector. The toolkit comes as the two agencies co-hosted a roundtable discussion on the cybersecurity challenges that the HPH sector system faces and how government and industry can work together to close the gaps in resources and cyber capabilities.

Anna Ribeiro

Industrial Cyber News Editor. Anna Ribeiro is a freelance journalist with over 14 years of experience in the areas of security, data storage, virtualization and IoT.