While cybersecurity attacks on hospitals and other health care-related entities are not new, in recent years we have begun to see a steady increase of attacks. According to the Office of Civil Rights (OCR), from 2018 to 2022, there was a 93% increase in large security breaches within healthcare entities. When health care systems undergo a cybersecurity attack, not only are patients’ sensitive information put at risk, but there can be an impact on direct patient care that can last weeks, such as delayed procedures, patients being routed to other facilities, and cancelled appointments. Last year, the Biden Administration brought forward the National Cybersecurity Strategy which looks to have both the private and public sectors collaborate in securing cyberspace. In response to the National Cybersecurity Strategy, the US Department of Health and Human Services (HHS) released an outline of its strategy to address cybersecurity moving forward in the December 2023 report titled Healthcare Sector Cybersecurity: Introduction to the Strategy of the US Department of Health and Human Services. During the Health Sector Cybersecurity strategy document release, HHS Deputy Secretary Andrea Palm noted, “The health care sector is experiencing a significant rise in cyberattacks, putting patient safety at risk. These attacks expose vulnerabilities in our health care system, degrade patient trust, and ultimately endanger patient safety. HHS takes these threats very seriously, and we are taking steps that will ensure our hospitals, patients, and communities impacted by cyberattacks are better prepared and more secure.” Various federal departments have been allocated certain duties regarding cybersecurity. Among the duties allocated to HHS and what they built the Healthcare Sector Cybersecurity document around include:
- Sharing threat information and intelligence with the health care sector to mitigate risks
- Providing the health care sector with technical assistance, guidance and resources to comply with data security and privacy laws
- Issuing cybersecurity guidance and threat alerts for medical devices
- Publishing healthcare-specific cybersecurity best practices, resources and guidances
In its role in meeting the aforementioned duties, HHS has already issued several publications such as the Health Industry Cybersecurity Practices and guidances for medical device manufacturers on pre-market cybersecurity recommendations and requirements for all new medical devices. With the strategies listed in the Healthcare Sector Cybersecurity outline, HHS intends to build on these previous actions with the following: Establish voluntary cybersecurity performance goals for the healthcare sector HHS will work with the input of industry on establishing and publishing “voluntary sector-specific cybersecurity performance goals.” This information will not only help alleviate confusion generated by the plethora of information available but also provide a clear direction and information for the industry on potential future regulatory action HHS may take in this area. Provide resources to incentivize and implement these cybersecurity practices HHS will seek from Congress new authority and funds to assist with hospital investments in cybersecurity and enforce new cybersecurity requirements through fines on hospitals. Implement an HHS-wide strategy to support greater enforcement and accountability HHS will be proposing to integrate Healthcare and Public Health Sector-specific Cybersecurity Performance Goals (HPH CPGs) into existing regulations and programs that will inform the creation of new enforceable cybersecurity standards. This will include new cybersecurity requirements for hospitals participating in Medicare and Medicaid. Additionally, OCR will start a much-discussed update to the Health Insurance Portability and Accountability Act (HIPAA) Security Rule in spring of 2024 which will include new cybersecurity requirements. Increased penalties, more audits and more technical assistance for HIPAA are also being discussed. Expand and mature the one-stop shop within HHS for healthcare sector cybersecurity HHS will work to evolve and improve its function as the one-stop shop for cybersecurity support for the healthcare sector. It hopes to enhance coordination within HHS and the federal government while also building on a partnership with the industry. HHS looks to increase incident response capabilities and “promote greater uptake of government services and resources such as technical assistance, vulnerability scanning, and more.” The strategy has already raised some concerns in the health care sector. The American Hospital Association (AHA) has said it welcomes assistance in working on helping hospitals to protect against cybersecurity attacks, but to impose mandatory requirements is not something they can support. As noted in a December 8, 2023 Healthcare IT News Article, AHA president and CEO, Richard J. Pollack says, “The AHA cannot support proposals for mandatory cybersecurity requirements being levied on hospitals as if they were at fault for the success of hackers in perpetrating a crime.” While some have raised concerns regarding the strategy, nearly everyone agrees that cybersecurity is an important issue, including those in the telehealth field. Last year, HHS released several tools and resources related to telehealth and security including:
Like the rest of the health care sector, the telehealth community must be aware of this issue and be able to provide input when needed to assist in thoughtful development of policies that will impact telehealth. CCHP will continue to monitor developments in this area as well as the HIPAA updates slated for the Spring. For more information on the HHS strategy to address cybersecurity moving forward, read the report in its entirety. |