HHS Unveils Next Steps to Enhance Cybersecurity of Health Care Records

WASHINGTON — The bad guys in cyberspace want your health care records. 

Between 2018 and 2022, there was a 93% increase in large breaches in the health care sector, with a 278% increase in large breaches involving ransomware, according to the Department of Health and Human Services’ Office for Civil Rights.

As a result of the breaches, the bad actors behind them have caused extended care disruptions, patient diversions to other facilities and delayed medical procedures, all putting patient safety at risk.

In an effort to address the issue, HHS on Wednesday released a concept paper that succinctly outlines its cybersecurity strategy for the health care sector. 

The concept paper builds on the National Cybersecurity Strategy that President Joe Biden released last year, focusing specifically on strengthening resilience for hospitals, patients and communities threatened by cyberattacks. 

In doing so, it details four pillars for action, including publishing new voluntary health care-specific cybersecurity performance goals, working with Congress to develop support and incentives for domestic hospitals to improve cybersecurity, and increasing accountability and coordination within the health care sector.

“Since entering office, the Biden-Harris administration has worked to strengthen the nation’s defenses against cyberattacks. The health care sector is particularly vulnerable, and the stakes are especially high,” said HHS Secretary Xavier Becerra in a written statement.

“HHS is working with health care and public health partners to bolster our cybersecurity capabilities nationwide. We are taking necessary actions that will make a big difference for the hospitals, patients and communities who are being impacted,” he said.

The specific actions outlined in the HHS concept paper are as follows. It has committed to:

• Publish voluntary Health care and Public Health sector Cybersecurity Performance Goals. HHS will release HPH CPGs to help health care institutions plan and prioritize implementation of high-impact cybersecurity practices.
• Provide resources to incentivize and implement cybersecurity practices. HHS will work with Congress to obtain new authority and funding to administer financial support and incentives for domestic hospitals to implement high-impact cybersecurity practices.
• Implement an HHS-wide strategy to support greater enforcement and accountability. HHS will propose new enforceable cybersecurity standards, informed by the HPH CPGs, that would be incorporated into existing programs, including Medicare and Medicaid and the HIPAA Security Rule.
• Expand and mature the one-stop shop within HHS for health care sector cybersecurity. HHS will mature the Administration for Strategic Preparedness and Response’s coordination role as a “one-stop shop” for health care cybersecurity with the aim of improving coordination within HHS and the federal government, deepen HHS and the federal government’s partnership with industry, and increase HHS’s incident response capabilities.

“The health care sector is experiencing a significant rise in cyberattacks, putting patient safety at risk. These attacks expose vulnerabilities in our health care system, degrade patient trust and ultimately endanger patient safety,” said HHS Deputy Secretary Andrea Palm in a statement. 

“HHS takes these threats very seriously, and we are taking steps that will ensure our hospitals, patients and communities impacted by cyberattacks are better prepared and more secure,” she said.

Dan can be reached at [email protected] and @DanMcCue