HHS Unveils Cybersecurity Strategy to Safeguard Health Care Sector

HHS Unveils Cybersecurity Strategy to Safeguard Health Care Sector

By

The U.S. Department of Health and Human Services (HHS) has introduced a comprehensive cybersecurity strategy aimed at fortifying the resilience of the health care sector against the escalating threat of cyber-attacks. The concept paper, aligned with President Biden's National Cybersecurity Strategy, outlines four pivotal pillars for action with a focus on bolstering cybersecurity for hospitals, patients, and communities vulnerable to cyber threats.

According to the HHS Office for Civil Rights (OCR), cyber incidents in the health care domain have surged significantly. Between 2018 and 2022, there has been a staggering 93% increase in large breaches reported to OCR, escalating from 369 to 712 incidents. Particularly alarming is the 278% surge in large breaches involving ransomware, indicating a critical need for heightened cybersecurity measures in the health care sector.

HHS Secretary Xavier Becerra emphasized the urgency and importance of securing the health care sector, stating, "The health care sector is particularly vulnerable, and the stakes are especially high. Our commitment to this work reflects that urgency and importance." Becerra added that HHS is actively collaborating with health care and public health partners to enhance cybersecurity capabilities nationwide, underscoring the administration's dedication to addressing the pressing cybersecurity challenges faced by hospitals and health care organizations.

The concept paper articulates the following key actions as part of the HHS cybersecurity strategy:

  1. Publish Voluntary Health Care and Public Health Sector Cybersecurity Performance Goals (HPH CPGs): HHS will release HPH CPGs to guide health care institutions in planning and prioritizing the implementation of high-impact cybersecurity practices.
  2. Provide Resources to Incentivize and Implement Cybersecurity Practices: HHS will work collaboratively with Congress to secure new authority and funding, enabling the administration to administer financial support and incentives for domestic hospitals to adopt high-impact cybersecurity practices.
  3. Implement an HHS-Wide Strategy for Greater Enforcement and Accountability: HHS intends to propose new enforceable cybersecurity standards, informed by the HPH CPGs, which will be incorporated into existing programs, including Medicare and Medicaid, and the HIPAA Security Rule.
  4. Expand and Mature the One-Stop Shop for Health Care Sector Cybersecurity: HHS plans to enhance the Administration for Strategic Preparedness and Response's (ASPR) coordination role, positioning it as a "one-stop shop" for health care cybersecurity. This initiative aims to improve coordination within HHS and the federal government, strengthen partnerships with industry stakeholders, enhance access to government support and services, and boost HHS's incident response capabilities.

Deputy National Security Adviser for Cyber and Emerging Technologies, Anne Neuberger, affirmed the Biden-Harris Administration's commitment to establishing robust cybersecurity standards for health care organizations. Neuberger emphasized that preventing cyber impacts, such as canceled medical treatments and stolen medical records, is crucial for keeping Americans safe.

HHS Deputy Secretary Andrea Palm highlighted the significance of addressing the rise in cyberattacks in the health care sector, noting that these attacks not only expose vulnerabilities in the health care system but also erode patient trust and jeopardize patient safety. The HHS concept paper serves as a strategic roadmap to fortify the health care sector's cybersecurity defenses and ensure its preparedness in the face of evolving cyber threats.

The GRC Report is the first word in governance, risk, and compliance news. As your trusted source for comprehensive coverage, the GRC Report keeps you informed and equipped to navigate the evolving landscape of governance, risk, and compliance. And remember, the GRC Report isn't just a news source; it's a community of professionals who share your passion for GRC excellence. Don't miss out on our insightful articles and breaking news – join the conversation and empower your GRC journey.