Last week, the U.S. Department of Health and Human Services (HHS) issued a new Strategy to boost cybersecurity in healthcare. In addition to the strategy goals, HHS intends to increase HIPAA enforcement and update the HIPAA Security Rule.
The Healthcare Sector is Vulnerable
HHS notes that “the healthcare sector is particularly vulnerable to cybersecurity risks, and the stakes for patient care and safety are particularly high. Healthcare facilities are attractive targets for cybercriminals in light of their size, technological dependence, sensitive data, and unique vulnerability to disruptions.”
Cybersecurity incidents in healthcare have grown alarmingly over the past few years. From 2018-2022, there has been a 93% increase in large breaches reported to the HHS Office for Civil Rights (OCR) (369 to 712), with a 278% increase in large breaches involving ransomware. According to HHS, cyber incidents in healthcare have led to extended care disruptions, patient diversions to other facilities, and delayed medical procedures, all putting patient safety at risk.
The new Strategy builds on the National Cybersecurity Strategy that President Biden released on March 1, 2023, focusing on strengthening resilience for hospitals, patients, and communities threatened by cyber-attacks.
Four Primary Goals
HHS’ new Strategy describes four goals:
- Establish voluntary cybersecurity performance goals for the healthcare sector;
- Provide resources to incentivize and implement these cybersecurity practices;
- Implement an HHS‑wide strategy to support greater enforcement and accountability; and
- Expand and mature the one‑stop shop within HHS for cybersecurity.
Cybersecurity Performance Goals
HHS acknowledges that numerous cybersecurity standards and guidance apply to healthcare but may need clarification about which cybersecurity practices to prioritize. Therefore, HHS will work with the healthcare sector to establish updated Cybersecurity Performance Goals (CPGs) that must be followed.
HHS notes that funding and voluntary goals alone will not drive the cyber-related behavioral change needed. Given the increased risks for hospitals, HHS plans to have all hospitals meeting the new sector-specific CPGs in the coming years, both voluntarily and through enforcement.
2024 HIPAA Security Rule Update
The Office for Civil Rights will begin an update to the HIPAA Security Rule in the spring of 2024 to include new cybersecurity requirements. Note that OCR is expected to issue changes to the Privacy Rule in 2024.
Increase HIPAA Civil Monetary Penalties
HHS will continue working with Congress to increase civil monetary penalties for HIPAA violations and increase resources for HHS to investigate potential HIPAA violations., conduct pro-active audits, and scale outreach and technical assistance for low-resourced organizations to improve HIPAA compliance.
HHS Investigations and HIPAA Enforcement
The Centers for Medicare & Medicaid Services (CMS) will propose new cybersecurity requirements for hospitals through Medicare and Medicaid.
In addition to increasing investigations, OCR will conduct proactive audits and scale outreach and technical assistance for low-resourced organizations to improve HIPAA compliance.
In the interim, OCR will continue to investigate potential HIPAA violations.
Better HIPAA Compliance Today
Don’t wait for changes from HHS to increase your cybersecurity defenses. HIPAA enforcement hasn’t slowed down. In addition to HHS/OCR, enforcement comes from the Federal Trade Commission (FTC), state Attorneys General and private lawsuits.
Make sure you have updated HIPAA policies in place, conduct an annual HIPAA Risk Analysis and train the workforce. For guidance on ransomware, use StopRansomware.gov.