The U.S. Department of Health and Human Services (HHS) has been making efforts to increase cybersecurity in the health care sector and outlined its strategy in a concept paper released in December 2023. The paper stresses that both patient safety and privacy are at risk due to cyber incidents that the agency says have been on the rise.
Such incidents are said to include large data breaches, which are tracked through the HHS Office for Civil Rights (OCR), including those involving ransomware and are especially disruptive when they target hospitals and health systems.
HHS notes that the results of such incidents include the following:
- Care disruptions (including extended disruptions);
- Risk to patients who utilize local emergency departments, radiology units, or cancer centers;
- Strains on acute care provisioning and capacity;
- Delayed medical procedures;
- Cancelled medical appointments;
- Non-rendered services; and
- Patient diversion to other facilities.
The strategy seeks to build on activities currently performed by HHS such as sharing cyber threat information and intelligence with the sector; providing the sector with technical assistance, guidance and resources to comply with data security and privacy laws; and publishing healthcare-specific cybersecurity best practices, resources, and guides.
THE ESTABLISHMENT OF VOLUNTARY CYBERSECURITY GOALS
As the first among four pillars of action going forward, HHS is seeking to reduce confusion arising out of “numerous cybersecurity standards and guidance that apply to the sector,” by working with the industry to establish and publish Healthcare and Public Health Sector-specific Cybersecurity Performance Goals (HPH CPGs).
The concept paper states that the goals will be voluntary and outline “minimum foundational practices” as well as enhanced goals to encourage more advanced practices.
RESOURCES TO INCENTIVIZE AND IMPLEMENT CYBERSECURITY PRACTICES
HHS says in the concept paper that it will seek funding from Congress to “provide financial support for domestic hospital investments in cybersecurity,” as well as the authority to enforce new cybersecurity requirements. It is currently planning an “upfront investments program,” as well as an “incentives program.”
AN HHS-WIDE STRATEGY FOR ENFORCEMENT AND ACCOUNTABILITY
In the concept paper, HHS indicates that it will eventually seek to make the above voluntary HPH CPGs mandatory and incorporate them into existing regulations and programs to ultimately result in “new enforceable cybersecurity standards.”
To this end, it says that the Centers for Medicare & Medicaid Services (CMS) will be proposing new requirements for hospitals through Medicare and Medicaid. Additionally, HHS OCR will start to update the HIPAA Security Rule this spring,
ONE-STOP SHOP
The fourth pillar involves HHS further developing its “one-stop shop” cybersecurity support function for the healthcare sector through its Administration of Strategic Preparedness and Response (ASPR). The goal is to increase HHS’s incident response capabilities, and “promote greater uptake of government services and resources such as technical assistance, vulnerability scanning, and more.”
Categories: Cybersecurity, DATA PROTECTION & PRIVACY, Uncategorized
Leave a Reply