The U.S. Department of Health and Human Services (HHS) released a concept paper outlining the Department’s cybersecurity strategy to address rising health sector security incidents. This concept paper is a result of the Biden administration’s efforts to strengthen national defense against cyber-attacks and seeks to build on the Presidential National Cybersecurity Strategy. According to the HHS Office for Civil Rights (OCR), large breaches reported to OCR have increased by 93% from 2018 to 2022, with many large breaches involving ransomware. These attacks, according to HHS, have significant impact on patient privacy and can endanger patient safety by causing delays in treatment due to systems being shut down. The concept paper provides details of how the HHS plans to address these concerns.
The concept paper details how HHS has updated various sectoral resources and outlines a series of forthcoming Cybersecurity Performance Goals (CPGs) to help healthcare institutions prioritize high-impact security practices. The CPGs will include “essential” foundational goals, intended to establish a baseline of cybersecurity standards, and “enhanced” goals, to encourage adoption of advanced practices. The goals will be reviewed continually to keep pace with evolving cyber threats. These CPGs have not been drafted yet, though we anticipate they will resemble the sorts of best practices emphasized by other government regulators, including the FTC. To aid in implementing the CPGs, healthcare institutions may receive government assistance through yet-to-be established investment programs for essential CPGs and incentive programs for enhanced CPGs. Additionally, the Centers for Medicare and Medicaid Services will propose new requirements for hospitals and in early 2024, propose updates to the HIPAA Security Rule to include new cybersecurity requirements.
This HHS announcement parallels activities by other federal authorities to regulate in the cybersecurity arena through a combination of guidelines and modified rules, such as the SEC public company security rule that took effect on December 15th. We expect the new year will bring a mix of non-binding guidance and enforcement actions of existing rules, with the overall goal of driving enhancements to critical infrastructure security.