In response to the escalating cyber threats targeting hospitals, the U.S. Department of Health and Human Services (HHS) has proposed a series of actions aimed at bolstering cybersecurity across the healthcare sector. The initiative, which was initially reported by Politico, includes a mix of voluntary and potentially mandatory measures that healthcare facilities would need to implement.
The HHS is currently soliciting feedback on a set of proposals that would integrate new cybersecurity requirements into the Medicare and Medicaid programs. This move could potentially link federal funding to the adherence to certain cybersecurity standards. The concept, which aligns with ideas previously suggested by HHS Deputy Secretary Andrea Palm and Senator Mark Warner, emphasizes the necessity for more than just funding and voluntary commitments to induce significant cybersecurity improvements in healthcare.
The department’s aspirations include having all hospitals meet specific Cybersecurity Performance Goals (CPGs) in the near future, reflecting the heightened risk profile of these institutions. Furthermore, the HHS is considering updates to the Health Insurance Portability and Accountability Act (HIPAA) Security Rule by spring 2024, which would also encompass new cybersecurity mandates.
In an effort to enforce compliance, the HHS plans to collaborate with Congress to increase civil monetary penalties for HIPAA infractions and to enhance their capacity to investigate potential violations, conduct audits, and offer technical support.
This strategic plan is a reaction to the continuous ransomware attacks that have led to prolonged operational disruptions in hospitals, resulting in diverted ambulances, canceled appointments, and a reliance on manual record-keeping. Research conducted by the University of Minnesota indicates that such cyber incidents have not only disrupted services but have also been linked to increased mortality rates among patients in affected hospitals.
The HHS’s Office for Civil Rights (OCR) has documented a significant rise in large data breaches, particularly those involving ransomware, over the past few years. These breaches have had both immediate and long-lasting impacts on patient care and safety, as well as on the broader community that relies on these healthcare services.
The HHS’s comprehensive approach to addressing cybersecurity in healthcare is a critical step towards mitigating the risks posed by cyberattacks and ensuring the continuity and reliability of medical services. The department’s efforts underscore the importance of safeguarding patient data and healthcare infrastructure in an increasingly digitalized world.
