Practice Areas


Securing Health: Decoding the Newest HHS Cybersecurity Guidance

Breanne M. Rubin and Lauren A. Lowe

Doctor talking with patientThe U.S. Department of Health and Human Services (HHS) has released a comprehensive cybersecurity strategy for the health care sector, aiming to address the increasing cybersecurity risks and protect patient data. The plan, which aligns with President Biden's National Cybersecurity Strategy released in March 2023, outlines a four-step action plan to enhance cyber resiliency in the health care industry. Key components of the strategy include:

The plan also addresses the need to update the HIPAA Security Rule to include new cybersecurity obligations, potentially addressing topics such as artificial intelligence and clarifying maximum annual penalty caps for HIPAA violations. The HHS emphasizes that the health care sector should carefully monitor the publication of these goals as they are likely to become industry standards and inform future regulatory action.

Cybersecurity Performance Goals

The health care industry is encouraged to pay close attention to the potential impact of the HHS cybersecurity action plan on cybersecurity practices and compliance efforts. HHS will designate “essential” CPGs which represent minimum competency cybersecurity practices, and “enhanced” CPGs to incentivize use of more sophisticated cybersecurity practices. HHS plans to incorporate the essential CPGs into future regulations and make new enforceable cybersecurity standards. Additionally, the strategy aims to work with Congress to enlarge civil monetary consequences for HIPAA violations and expand resources to examine potential violations, run proactive audits, and provide outreach and technical assistance to low-resourced entities to help them improve their HIPAA compliance.

Incentives, Finances and Resources

HHS plans to incentivize and implement new cybersecurity practices in the health care sector by providing financial support and resources. The agency aims to work with Congress to attain new authority and funding to offer monetary support for domestic hospitals' outlay in cybersecurity. This includes two financial programs:

If an organization accepts said financial assistance, it should carefully evaluate the potential obligations and impacts that may come with it. These obligations may include but are not limited to, certifications, reporting requirements and possible repayment obligations. Accepting financial assistance also may have an impact on upcoming strategic transactions. Therefore, the organization should consider all potential regulatory and financial implications.

Enforcement and Accountability

The HHS anticipates an agency-wide approach to enforcement and accountability with the implementation of CPGs, including cooperation with the Centers for Medicare and Medicaid Services (with potential impacts to Conditions of Participation) and the Office for Civil Rights (updating the HIPAA Security Rule). Further providing education and access to improving cybersecurity systems consistent with proposed CPGs is the HHS Administration of Strategic Preparedness and Response. This health sector-specific resource is central to HHS’ efforts to educate and provide guidance to at-risk organizations or organizations wishing to further identify weaknesses in their cybersecurity systems and develop stronger foundations through publications of articles and toolkits.

Industry Vulnerability

The HHS also highlights that the health care sector still remains particularly vulnerable to cybersecurity

risks, as between 2018 and 2022 the sector has experienced an increase of 93% in large data breaches as well as an increase of 278% in large breaches that include ransomware. The plan aims to ensure safe access to health care and protect the health and privacy of Americans, underscoring the critical need for strong cybersecurity practices in the health care sector.

Overall, the HHS's cybersecurity strategy for the health care sector is a proactive and comprehensive approach to modernize cybersecurity standards in a vulnerable and often targeted sector with aged equipment and devices. It aims to:

The strategy also acknowledges the vulnerability of the health care sector to cybersecurity risks and the increasing breaches involving health care information, emphasizing the critical importance of strong cybersecurity practices in the industry. It is imperative that organizations in the health care sector stay up to date on new CPGs and regulations as they become available.

Should you have any questions concerning laws and regulations pertaining to health care cybersecurity, please contact Ms. Rubin or Ms. Lowe.


Disclaimer: This alert has been prepared by Eastman & Smith Ltd. for informational purposes only and should not be considered legal advice. This information is not intended to create, and receipt of it does not constitute, an attorney/client relationship.