The U.S. Department of Health and Human Services (HHS) has announced a plan to provide resources and incentives for the healthcare industry to adopt cybersecurity measures and to increase potential regulatory penalties for cybersecurity breaches amid growing data security risks to hospitals and health systems.

Quick Hits

• HHS released a concept paper outlining four key steps the department will take to improve cybersecurity across the healthcare sector and provide resources and financial support to implement best practices.
• The paper states HHS’s goals to work with Congress to increase its funding to provide financial support to hospitals to implement cybersecurity practices, expand its enforcement authority, and increase civil monetary penalties for HIPAA violations.
• The performance guidelines include “essential goals” to define “minimum foundational practices for cybersecurity” and “enhanced goals” that serve as the best practices for data security.

On December 6, 2023, HHS released a “concept paper,” “Healthcare Sector Cybersecurity: Introduction to the Strategy of the U.S. Department of Health and Human Services,” outlining four new and ongoing steps HHS will take to “advance cyber resiliency in the healthcare sector,” especially with respect to high-risk targets like hospitals.

HHS noted that healthcare providers are especially vulnerable to cybersecurity attacks and hold large amounts of sensitive health data of patients, making them “attractive targets for cyber criminals.” According to the HHS Office for Civil Rights (OCR), reported large data breaches increased 93 percent from 2018 to 2022, including a 278 percent increase in reported large breaches involving ransomware.

To address these risks, HHS plans to take the following steps:

1. “Establish voluntary cybersecurity goals for the healthcare sector.” HHS will publish “Healthcare and Public Health Sector-specific Cybersecurity Performance Goals” (HPH CPGs) to facilitate the adoption of cybersecurity best practices.
2. “Provide resources to incentivize and implement these cybersecurity practices.” HHS stated that it will seek increased funding from the U.S. Congress for hospital cybersecurity investments and expand HHS authority to “enforce new cybersecurity requirements through the imposition of financial consequences for hospitals.” Toward that end, HHS will seek to establish two new programs: (1) “an upfront investments program” to provide financial support to low-resourced providers and hospitals to cover upfront costs of implementing “essential” HPH CPGs; and (2) “an incentives program” to encourage the adoption of recommended, or “enhanced,” cybersecurity practices.
3. “Implement an HHS-wide strategy to support greater enforcement and accountability.” HHS will seek to have the HPH CPGs incorporated into existing regulations to establish “new enforceable cybersecurity standards” and ask Congress to increase monetary penalties for violations of the Health Insurance Portability and Accountability Act (HIPAA). Specifically, HHS will seek comment on two proposed actions: (1) a proposal by the Centers for Medicare and Medicaid Services (CMS) for new cybersecurity requirements for hospitals; and (2) OCR adding cybersecurity requirements to the HIPAA Security Rule (planned for Spring 2024).
4. “Expand and mature the one-stop shop within HHS for healthcare sector cybersecurity.” HHS will seek to improve its “one-stop shop” for cybersecurity support for the healthcare sector within the Administration of Strategic Preparedness and Response (ASPR). Although light on details, the concept paper stated that the “one-stop shop” will enhance coordination between HHS, the federal government, and private entities and increase the availability of cybersecurity resources for the healthcare sector, such as “technical assistance, vulnerability scanning, and more.”

Next Steps

The HHS concept paper highlights the department’s and the federal government’s priority to protect data privacy, particularly concerning individuals’ sensitive health information. The concept paper comes after the Biden administration’s “National Cybersecurity Strategy,” released in March 2023, and builds on HHS’s “2023 Hospital Cyber Resiliency Initiative Landscape Analysis,” which was developed in partnership with the industry and published in April 2023.

According to the paper, HHS seeks to develop both carrots and sticks to drive healthcare providers to improve their cybersecurity. On the positive reinforcement side, HHS will release cybersecurity practices and goals for the industry to follow, and the department will work with Congress to increase its financial resources for supporting hospital cybersecurity investments. If providers violate HIPAA, however, HHS is requesting that Congress expand its enforcement toolkit, both through expansion of HHS’s enforcement authority and through increases to civil monetary penalties.

Healthcare employers might want to review their cybersecurity policies and safeguards in light of the increase in high-profile data breaches (including ransomware attacks) and federal regulators’ increased scrutiny. If the impending HPH CPGs ultimately become regulatory requirements at some juncture, as HHS suggests, businesses may be able to take advantage of financial incentives to implement these safeguards proactively while they remain “enhanced” rather than “essential” benchmarks.