HHS strategy for cybersecurity

HHS Pushing to Strengthen Cybersecurity in Healthcare

Last week, the U.S. Department of Health and Human Services (HHS) issued a new Strategy to boost cybersecurity in healthcare. In addition to the strategy goals, HHS intends to increase HIPAA enforcement and update the HIPAA Security Rule.

The Healthcare Sector is Vulnerable

HHS notes that “the healthcare sector is particularly vulnerable to cybersecurity risks, and the stakes for patient care and safety are particularly high. Healthcare facilities are attractive targets for cybercriminals in light of their size, technological dependence, sensitive data, and unique vulnerability to disruptions.”

Cybersecurity incidents in healthcare have grown alarmingly over the past few years. From 2018-2022, there has been a 93% increase in large breaches reported to the HHS Office for Civil Rights (OCR) (369 to 712), with a 278% increase in large breaches involving ransomware. According to HHS, cyber incidents in healthcare have led to extended care disruptions, patient diversions to other facilities, and delayed medical procedures, all putting patient safety at risk.

The new Strategy builds on the National Cybersecurity Strategy that President Biden released on March 1, 2023, focusing on strengthening resilience for hospitals, patients, and communities threatened by cyber-attacks.

Four Primary Goals

HHS’ new Strategy describes four goals:

  1. Establish voluntary cybersecurity performance goals for the healthcare sector;
  2. Provide resources to incentivize and implement these cybersecurity practices;
  3. Implement an HHS‑wide strategy to support greater enforcement and accountability; and
  4. Expand and mature the one‑stop shop within HHS for cybersecurity.

Cybersecurity Performance Goals

HHS acknowledges that numerous cybersecurity standards and guidance apply to healthcare but may need clarification about which cybersecurity practices to prioritize. Therefore, HHS will work with the healthcare sector to establish updated Cybersecurity Performance Goals (CPGs) that must be followed.

HHS notes that funding and voluntary goals alone will not drive the cyber-related behavioral change needed. Given the increased risks for hospitals, HHS plans to have all hospitals meeting the new sector-specific CPGs in the coming years, both voluntarily and through enforcement.

2024 HIPAA Security Rule Update

The Office for Civil Rights will begin an update to the HIPAA Security Rule in the spring of 2024 to include new cybersecurity requirements. Note that OCR is expected to issue changes to the Privacy Rule in 2024.

Increase HIPAA Civil Monetary Penalties

HHS will continue working with Congress to increase civil monetary penalties for HIPAA violations and increase resources for HHS to investigate potential HIPAA violations., conduct pro-active audits, and scale outreach and technical assistance for low-resourced organizations to improve HIPAA compliance.

HHS Investigations and HIPAA Enforcement

The Centers for Medicare & Medicaid Services (CMS) will propose new cybersecurity requirements for hospitals through Medicare and Medicaid.

In addition to increasing investigations, OCR will conduct proactive audits and scale outreach and technical assistance for low-resourced organizations to improve HIPAA compliance.

In the interim, OCR will continue to investigate potential HIPAA violations.

Better HIPAA Compliance Today

Don’t wait for changes from HHS to increase your cybersecurity defenses. HIPAA enforcement hasn’t slowed down. In addition to HHS/OCR, enforcement comes from the Federal Trade Commission (FTC), state Attorneys General and private lawsuits.

Make sure you have updated HIPAA policies in place, conduct an annual HIPAA Risk Analysis and train the workforce.  For guidance on ransomware, use StopRansomware.gov.

Share This Post

Maggie Hales

Maggie Hales is a lawyer focusing on health information privacy and security. As CEO of ET&C Group LLC she advises health care providers and business associates in 36 states, Canada, Egypt, India and the EU, using The HIPAA E-Tool® to deliver up to date policies, forms and training on everything related to HIPAA compliance.

Copyright © 2023 ET&C Group LLC.

The HIPAA E-Tool® and Protecting Patient Privacy is Our Job®
are registered trademarks of ET&C Group LLC

Terms of Use | Privacy Policy | Cookies Policy | Privacy Settings | HTML/XML Sitemap

Mailing Address
The HIPAA E-Tool
PO Box 179104
St. Louis, MO 63117-9104

Office
8820 Ladue Road Suite 200
St. Louis, MO 63124

Powered by JEMSU