HHS Proposes Cybersecurity Requirements for Hospitals
EXECUTIVE SUMMARY
A concept paper from the Department of Health and Human Services (HHS) provides a cybersecurity strategy for healthcare organizations. The voluntary goals could become requirements soon.
- Cybersecurity incidents continue to increase every year.
- HHS will establish voluntary cybersecurity performance goals.
- Telehealth disclosure is noted in the paper as a particular concern.
The Department of Health and Human Services (HHS) recently released a concept paper outlining its cybersecurity strategy for the healthcare sector, focusing specifically on strengthening resilience for hospitals threatened by cyberattacks. HHS outlined four pillars for action, including new voluntary healthcare-specific cybersecurity performance goals.1
Cyber incidents in healthcare are increasing. HHS reported a 93% increase in large breaches reported to the Office for Civil Rights (OCR) from 2018 to 2022 — from 369 incidents to 712. There was a 278% increase in large breaches involving ransomware.2
“The healthcare sector is experiencing a significant rise in cyberattacks, putting patient safety at risk. These attacks expose vulnerabilities in our healthcare system, degrade patient trust, and ultimately endanger patient safety,” said HHS Deputy Secretary Andrea Palm. “HHS takes these threats very seriously, and we are taking steps that will ensure our hospitals, patients, and communities impacted by cyberattacks are better prepared and more secure.”2
The HHS concept paper outlines these initiatives:
- “Publish voluntary Healthcare and Public Health sector Cybersecurity Performance Goals (HPH CPGs). HHS will release HPH CPGs to help healthcare institutions plan and prioritize implementation of high-impact cybersecurity practices.”
- “Provide resources to incentivize and implement cybersecurity practices. HHS will work with Congress to obtain new authority and funding to administer financial support and incentives for domestic hospitals to implement high-impact cybersecurity practices.”
- “Implement an HHS-wide strategy to support greater enforcement and accountability. HHS will propose new enforceable cybersecurity standards, informed by the HPH CPGs, that would be incorporated into existing programs, including Medicare and Medicaid and the HIPAA Security Rule.”
- “Expand and mature the one-stop shop within HHS for healthcare sector cybersecurity. HHS will mature the Administration for Strategic Preparedness and Response’s coordination role as a ‘one-stop shop’ for healthcare cybersecurity which will improve coordination within HHS and the federal government, deepen HHS and the federal government’s partnership with industry, improve access and uptake of government support and services, and increase HHS’s incident response capabilities.”
More Regulatory Issues Could Emerge
Hospitals are grappling with unprecedented levels of cybersecurity issues and might welcome a higher level of regulation, says Jolie Apicella, JD, partner with Wiggin and Dana in New York City. However, that could come with new, emerging legal and regulatory issues on top of the regulations that they already face.
“HHS’s mission here is to improve overall cybersecurity practices and build up the resiliency of the programs. These cybersecurity threats are really criminal operations, so hospitals have to now implement the absolute best cybersecurity practices. Not only that, but they have to live up to them, which is a very difficult thing to do,” Apicella explains. “There could just be a slip-up, there might not even be any exposure or any sort of leaks that come from that, but they can then be on the hook.”
The concept paper tells healthcare organizations where HHS is setting its priorities. “They’re definitely working as hard as they can to improve the overall cybersecurity practices of hospitals because they are some of the most vulnerable targets,” Apicella says. “They want to publicize any vulnerability that the hospitals may have as a way for the public to feel comfort that the hospital would be held accountable.”
The concept paper draws attention to OCR’s recently updated telehealth guidance, notes Jason Johnson, JD, partner with Crowell & Moring in New York City. Along with guidance from the Federal Trade Commission, the HHS concept paper signals a joint collaborative effort that health organizations should heed.
“For telehealth, this is really the first significant paper that’s put together a bunch of items on the telehealth side to provide some concrete information as to the use and access of telehealth,” Johnson says. “During COVID, there was discretion from OCR around enforcement, and now we’ve kind of moved into the next phase where entities need to pay attention to what OCR is saying about this.”
A key concern should be ensuring that the organization provides full disclosure to individuals, Johnson says. “It’s important that your patients understand the privacy and security protections in place, and the risks that go along with that. I think that’s a little bit of a significant deviation from what we’ve seen in the past,” he notes. “This puts the burden on these entities to provide additional information and disclosure to those individuals that is in line with what you see outside of healthcare. I don’t think a lot of healthcare entities probably are very well versed on that.”
Voluntary Could Become Mandatory
The cyber performance goals to be developed by HHS would be voluntary at first but may become requirements soon, says Kirsten Mickelson, cyber practice group leader with Gallagher Bassett in Rolling Meadows, IL, which provides healthcare professional liability claims and risk management consulting.
“There are references in the proposal which are signaling that they will become requirements as early as this year. It builds on the Biden administration’s national security strategy and serves as an introduction to HHS’s own cybersecurity strategy,” Mickelson explains. “I think it’s significant because it offers insight to the healthcare sector into the more active role HHS will probably play in the cybersecurity space.”
Through Sector Risk Management Agencies, HHS would be responsible for sharing cyber threat information and intelligence with the healthcare sector, but then also provide technical assistance, guidance, and resources to comply with the data security and privacy laws.
“This is coming from the highest level,” Mickelson says. “It is significant in that sense because it demonstrates the level of involvement HHS will have with the government and the current administration in terms of sharing the threat intelligence. It shows that the overall goal is driving enhancements to critical infrastructure security.”
HHS is signaling that they are holding healthcare organizations responsible for breaches, says William P. Dillon, JD, shareholder with Gunster law firm in Tallahassee, FL. Regulators may have had more sympathy in the past because organizations were up against sophisticated hackers with quickly emerging technology, he says.
“Then, they looked and said they failed to conduct a risk analysis, they didn’t have policies or procedures in place to regularly review information system activity. They’re pushing the same thing that they’ve been saying for years, and if people aren’t adhering to that, I think OCR is taking the position of saying, ‘We’re going to have to do a two-pronged approach,’” Dillon says. “They’re continuing to do education, but now they’re holding some people’s feet to the fire.”
The cybersecurity plan does not seem to address one key failing in the government’s enforcement of existing requirements, says Iliana L. Peters, JD, shareholder with Polsinelli in Washington, DC. Previously, Peters was acting deputy director for HHS and enforced HIPAA regulations. HHS responds vigorously to self-reported cyber breaches but does little to audit compliance and find unreported incidents, she says.
“All I see — at least for now, and I’m hoping that that will change — is increased enforcement against those entities who are doing something right. They’re not doing everything right, but they have compliance programs and they’re reporting breaches,” Peters says. “Some of the enhanced goals are already required by law, so I’m a little confused about how that is an enhanced goal when it is something that arguably they should already be doing.”
With the increased risk of cyber threats, cyber insurance is much harder to get now, and the insurers want to see more proof that the organization is taking adequate steps to protect against attacks, Peters says.
“You have to be investing money into understanding what your risk landscape looks like. That is risk analysis, risk management, implementation of really good controls, technical controls, data loss prevention, multifactor authentication — all of those things,” she says. “You’re never done with cybersecurity preparedness because the threats are constantly changing.”
REFERENCES
- U.S. Department of Health and Human Services. Healthcare Sector Cybersecurity: Introduction to the Strategy of the U.S. Department of Health and Human Services. December 2023. https://aspr.hhs.gov/cyber/Doc...
- U.S. Department of Health and Human Services. HHS announces next steps in ongoing work to enhance cybersecurity for health care and public health sectors. Dec. 6, 2023. https://www.hhs.gov/about/news...
SOURCES
- Jolie Apicella, JD, Partner, Wiggin and Dana, New York City. Phone: (212) 551-2844. Email: [email protected].
- William P. Dillon, JD, Shareholder, Gunster, Tallahassee, FL. Phone: (850) 521-1708. Email: [email protected].
- Jason Johnson, JD, Partner, Crowell & Moring, New York City. Phone: (212) 520-1860. Email: [email protected].
- Kirsten Mickelson, Cyber Practice Group Leader, Gallagher Bassett, Rolling Meadows, IL. Phone: (630) 773-3800.
- Iliana L. Peters, JD, Shareholder, Polsinelli, Washington, DC. Phone: (202) 626-8327. Email: [email protected].
The Department of Health and Human Services (HHS) recently released a concept paper outlining its cybersecurity strategy for the healthcare sector, focusing specifically on strengthening resilience for hospitals threatened by cyberattacks. HHS outlined four pillars for action, including new voluntary healthcare-specific cybersecurity performance goals.
Subscribe Now for Access
You have reached your article limit for the month. We hope you found our articles both enjoyable and insightful. For information on new subscriptions, product trials, alternative billing arrangements or group and site discounts please call 800-688-2421. We look forward to having you as a long-term member of the Relias Media community.