The healthcare sector’s susceptibility to cybersecurity threats is a matter of increasing concern. There are high stakes involved in patient care and safety and healthcare facilities, with their substantial size, technological dependency, sensitive data, and inherent vulnerability to disruptions, have become prime targets for cybercriminals. This vulnerability is seen by the Office for Civil Rights (OCR) data from the U.S. Department of Health and Human Services (HHS), showing a 93% increase in large breaches from 2018 to 2022, with ransomware incidents surging by 278%. The implications of such cyber incidents are profound, leading to many issues including extended care disruptions, patient diversions, and significant strains on healthcare systems. Most importantly, these incidents may endanger patient safety and disrupt critical services in local communities.
President Biden’s National Cybersecurity Strategy launched in March 2023, to display the government’s commitment to bolstering the nation’s cyber defenses and securing its digital infrastructure. This strategy is pertinent to the healthcare sector, which has seen major digital transformation in recent years. The alignment of government and industry efforts is highly necessary if the country is to realize the President’s vision of a secure healthcare system resilient to cyber threats. In this context, HHS proposes a framework to address these cybersecurity challenges effectively.
HHS’s Role and Current Cybersecurity Activities
As the Sector Risk Management Agency (SRMA) for the Healthcare and Public Health Sector, HHS is responsible for various activities to mitigate cyber risks. These include sharing threat intelligence, providing technical assistance and resources to comply with data security laws, issuing cybersecurity guidance for medical devices, and publishing sector-specific best practices. Building on the National Cybersecurity Strategy, HHS’s 2023 Hospital Cyber Resiliency Landscape Analysis assessed the current state of hospital cybersecurity and identified additional resources and authorities needed to improve defenses. HHS has taken immediate action within its existing authorities, such as updating healthcare-specific cybersecurity guidance, releasing free cybersecurity trainings, issuing guidance for medical device manufacturers, and providing new telehealth guidance for healthcare providers and patients.
Proposed Path Forward for Cybersecurity Improvements
To enhance cyber resiliency in the healthcare sector, HHS plans to implement several measures. These include establishing voluntary cybersecurity performance goals for the sector, providing resources to incentivize and implement these practices, and developing a comprehensive HHS-wide strategy for greater enforcement and accountability. HHS also intends to expand and mature its one-stop shop within the Administration of Strategic Preparedness and Response (ASPR) for healthcare sector cybersecurity.
- Establishing Voluntary Cybersecurity Goals: HHS, with industry input, will publish sector-specific cybersecurity performance goals. These will include goals for foundational cybersecurity practices and enhanced goals for more advanced practices.
- Providing Resources and Incentives: HHS aims to work with Congress to secure new authority and funding to support hospitals in implementing cybersecurity practices. This includes an upfront investments program for high-need healthcare providers and an incentives program to encourage investment in advanced cybersecurity practices.
- Strategy for Enforcement and Accountability: Recognizing that funding and voluntary goals are insufficient, HHS plans to incorporate sector-specific Cybersecurity Performance Goals into existing regulations and programs, thereby creating enforceable standards. Proposed actions include new cybersecurity requirements for hospitals through Medicare and Medicaid and updating the HIPAA Security Rule to include new cybersecurity requirements.
- One-Stop Shop for Cybersecurity Support: HHS plans to enhance its cybersecurity support function within ASPR. This will improve coordination, deepen partnership with industry, increase incident response capabilities, and promote greater uptake of government services and resources.