US Department of Health and Human Services Cybersecurity Strategy

The US Department of Health and Human Services has released a four-step cybersecurity strategy to combat the increasing cyber threats in the healthcare sector.

The vast US healthcare sector is a ‘target rich, resource poor’ environment for cybercriminals, subject to pervasive and damaging cyber attacks. This December, the US Department of Health and Human Services (HHS) released its own document explaining their cybersecurity strategy.

According to the HHS’s Office for Civil Rights (OCR), there has been “a 93% increase in large breaches reported from 2018 to 2022 (369 to 712), with a 278% increase in large breaches reported to OCR involving ransomware from 2018 to 2022.” The incidents don’t seem to be slowing down either, with one Thanksgiving Day attack limiting emergency room capabilities across many states in hospitals owned by Ardent Health Services. 

HHS isn’t starting entirely from scratch in building up stronger cybersecurity policies. In the strategy document, HHS explains how the department already shares information about emerging cyber threats within the sector to reduce possible harm, releases threat alerts and cybersecurity tips related to medical devices, and encourages good sector-specific cybersecurity practices as well as advice on compliance with data and privacy laws. 

The strategy centers around four specific steps to improve resilience in the healthcare sector: 

1. Establish Voluntary Cybersecurity Goals for the Healthcare Sector: The HHS will clarify sector-specific cybersecurity goals which will allow healthcare providers to better prioritize and implement both essential minimum practices and enhanced advanced practices. 
2. Provide Resources to Incentivize and Implement these Cybersecurity Practices:  The HHS will work with Congress to get funding for an ‘upfront investments program’ to help resource poor healthcare providers achieve minimum practices and an ‘incentives program’ to motivate all healthcare providers to use more advanced cybersecurity practices. 
3. Implement an HHS-wide Strategy to Support Greater Enforcement and Accountability: The Centers for Medicare and Medicaid Services (CMS) will propose new cybersecurity requirements for hospitals through Medicare and Medicaid, and the HHS OCR will update the Health Insurance Portability and Accountability Act (HIPAA) Security Rule accordingly. The HHS will also work with Congress to invest more in finding HIPAA violations, in addition to increasing the civil monetary penalties for the violations. 
4. Expand and Mature the One-Stop Shop within HHS for Healthcare Sector Cybersecurity: Lastly, the HHS will improve its cybersecurity support center to enhance coordination within the Department of Health and Human Services and across the federal government. 

Cybersecurity has become a larger point of focus in federal healthcare practice, with a Healthcare and Public Health Cybersecurity Toolkit being released earlier this year, following the Cybersecurity and Infrastructure Security Agency’s (CISA’s) collaboration with HHS and the Health Sector Coordination Council (HSCC) Cybersecurity Working Group. This new strategy aims to protect the healthcare sector from cyberattacks and create a safer digital environment for healthcare providers and patients alike.