Articles
Securing Health: Decoding the Newest HHS Cybersecurity Guidance
The U.S. Department of Health and Human Services (HHS) has released a comprehensive cybersecurity strategy for the health care sector, aiming to address the increasing cybersecurity risks and protect patient data. The plan, which aligns with President Biden's National Cybersecurity Strategy released in March 2023, outlines a four-step action plan to enhance cyber resiliency in the health care industry. Key components of the strategy include:
- the establishment of voluntary health care sector-specific Cybersecurity Performance Goals (CPGs);
- providing resources and financial support to entice and apply new cybersecurity practices;
- implementing an agency-wide strategy to assist in enforcement and accountability; and
- expanding the Administration of Strategic Preparedness and Response to serve as a "one-stop shop" for cybersecurity support.
The plan also addresses the need to update the HIPAA Security Rule to include new cybersecurity obligations, potentially addressing topics such as artificial intelligence and clarifying maximum annual penalty caps for HIPAA violations. The HHS emphasizes that the health care sector should carefully monitor the publication of these goals as they are likely to become industry standards and inform future regulatory action.
Cybersecurity Performance Goals
The health care industry is encouraged to pay close attention to the potential impact of the HHS cybersecurity action plan on cybersecurity practices and compliance efforts. HHS will designate “essential” CPGs which represent minimum competency cybersecurity practices, and “enhanced” CPGs to incentivize use of more sophisticated cybersecurity practices. HHS plans to incorporate the essential CPGs into future regulations and make new enforceable cybersecurity standards. Additionally, the strategy aims to work with Congress to enlarge civil monetary consequences for HIPAA violations and expand resources to examine potential violations, run proactive audits, and provide outreach and technical assistance to low-resourced entities to help them improve their HIPAA compliance.
Incentives, Finances and Resources
HHS plans to incentivize and implement new cybersecurity practices in the health care sector by providing financial support and resources. The agency aims to work with Congress to attain new authority and funding to offer monetary support for domestic hospitals' outlay in cybersecurity. This includes two financial programs:
- the first program will assist high-need health care providers by covering the upfront investment costs related to applying essential cybersecurity practices (requiring compliance with “essential” CPGs as discussed above), and
- the second program will incentivize all hospitals to implement more progressive cybersecurity practices (requiring compliance with “enhanced” CPGs).
If an organization accepts said financial assistance, it should carefully evaluate the potential obligations and impacts that may come with it. These obligations may include but are not limited to, certifications, reporting requirements and possible repayment obligations. Accepting financial assistance also may have an impact on upcoming strategic transactions. Therefore, the organization should consider all potential regulatory and financial implications.
Enforcement and Accountability
The HHS anticipates an agency-wide approach to enforcement and accountability with the implementation of CPGs, including cooperation with the Centers for Medicare and Medicaid Services (with potential impacts to Conditions of Participation) and the Office for Civil Rights (updating the HIPAA Security Rule). Further providing education and access to improving cybersecurity systems consistent with proposed CPGs is the HHS Administration of Strategic Preparedness and Response. This health sector-specific resource is central to HHS’ efforts to educate and provide guidance to at-risk organizations or organizations wishing to further identify weaknesses in their cybersecurity systems and develop stronger foundations through publications of articles and toolkits.
Industry Vulnerability
The HHS also highlights that the health care sector still remains particularly vulnerable to cybersecurity
risks, as between 2018 and 2022 the sector has experienced an increase of 93% in large data breaches as well as an increase of 278% in large breaches that include ransomware. The plan aims to ensure safe access to health care and protect the health and privacy of Americans, underscoring the critical need for strong cybersecurity practices in the health care sector.
Overall, the HHS's cybersecurity strategy for the health care sector is a proactive and comprehensive approach to modernize cybersecurity standards in a vulnerable and often targeted sector with aged equipment and devices. It aims to:
- establish voluntary health care sector-specific CPGs;
- provide resources and financial support to incentivize and implement new cybersecurity practices;
- enhance enforcement and accountability; and
- expand the one-stop shop for cybersecurity support.
The strategy also acknowledges the vulnerability of the health care sector to cybersecurity risks and the increasing breaches involving health care information, emphasizing the critical importance of strong cybersecurity practices in the industry. It is imperative that organizations in the health care sector stay up to date on new CPGs and regulations as they become available.
Should you have any questions concerning laws and regulations pertaining to health care cybersecurity, please contact Ms. Rubin or Ms. Lowe.
____________________________
Disclaimer: This alert has been prepared by Eastman & Smith Ltd. for informational purposes only and should not be considered legal advice. This information is not intended to create, and receipt of it does not constitute, an attorney/client relationship.