The U.S. Department of Health and Human Services (HHS) released a concept paper on December 6, 2023 outlining its action plan to enhance cyber resiliency in the health care sector by proposing certain voluntary cybersecurity actions and standards that may ultimately become requirements.
For health care organizations such as hospitals, “cyber resiliency” generally means how organizations anticipate, operate during, respond to, and recover from cyber attacks such as ransomware attacks, cloud exploitations, phishing or spear-phishing attacks, software and zero-day vulnerability exploitations, or distributed denial of service attacks.
The HHS concept paper is the agency’s latest activity within the cybersecurity risk landscape in health care this year. In April 2023, HHS released a Hospital Cyber Resiliency Landscape Analysis that focused on the connection between cyber threats and patient care access and safety as well as the reduction of negative impact on clinical operations. The agency also oversaw the publication of additional health care-specific cybersecurity guidance documents, including the Office for Civil Rights (OCR) guidance for health care providers to explain data privacy and security risks to patients when using telehealth services. Additionally, HHS offered cybersecurity trainings to small and medium-sized health care facilities.
Building off these efforts, HHS’s action plan features four steps it will take to further develop cyber resiliency standards for health care organizations:
HHS Cyber Resiliency Action Plan
Establish Voluntary Cybersecurity Performance Goals For the Healthcare Sector
Health care organizations already have access to a wide range of federal cybersecurity guidance documents to use as part of their privacy and security compliance programs, including but not limited to these documents:
- NIST Special Publication 800-66, Revision 2
- NIST Cybersecurity Framework
- HHS 405(d) Program Health Industry Cybersecurity Practices
- Health Care and Public Health Sector Cybersecurity Framework Implementation Guide
- FDA Cybersecurity in Medical Devices: Quality System Considerations and Content of Premarket Submissions
Health care organizations also have a range of state agency cybersecurity guidance documents available. HHS acknowledged that developing new standards in addition to these various resources may be confusing for health care organizations already attempting to prioritize the various standards among the current publications and frameworks. However, the agency stated it plans to partner with the health care industry to develop minimum cybersecurity requirements and advanced practices in the form of Healthcare and Public Health Sector-specific Cybersecurity Performance Goals (HPH CPGs). Importantly, HHS noted that HPH CPGs would help to inform potential future regulatory action.
Provide Resources to Incentivize and Implement Cybersecurity Practices
HHS plans to use both carrots and, in the long-term, a stick for hospitals to implement HPH CPGs. HHS plans to work with Congress to fund an upfront investments program for certain resource-strapped hospitals to invest in “essential” HPH CPGs and create an incentives program for all hospitals to invest in “enhanced” HPH CPGs. HHS added that, in the future, it would also collaborate with Congress to impose financial penalties against hospitals that have not met required HPH CPGs.
Implement an HHS-Wide Strategy to Support Greater Enforcement and Accountability
HHS intends to make HPH CPGs compulsory in the future by weaving them into existing health care regulations and programs. First, HHS will propose new cybersecurity requirements for hospitals through the Medicare and Medicaid programs. HHS communicated that OCR will begin to add new cybersecurity requirements to the HIPAA Security Rule in spring of 2024.
HHS also announced plans to work with Congress to increase civil monetary penalties (CMPs) for HIPAA violations, augment its investigation and audit resources, and continue to offer technical assistance for low-resourced organizations.
Expand and Mature the One-Stop Shop Within HHS for Healthcare Sector Cybersecurity
HHS will enhance its “one-stop shop” cybersecurity support function within the Administration of Strategic Preparedness and Response (ASPR), an HHS agency primarily charged with preparation for and response to public health emergencies and disasters.
American Hospital Association Response
In a statement responding to HHS’s concept paper announcement, American Hospital Association (AHA) President and CEO Rick Pollack said, in part:
“Responding today to HHS’ ‘Concept Paper’ on strategies for enhancing health care cybersecurity, the AHA welcomes the investment of federal expertise and funding in protecting hospital and health system patients from heinous attacks on critical health care infrastructure. However, this fight is largely against sophisticated foreign-based hackers who often work at the permission of and in collusion with hostile nation states. Defeating these hackers requires the combined expertise and authorities of the federal government.
“The AHA cannot support proposals for mandatory cybersecurity requirements being levied on hospitals as if they were at fault for the success of hackers in perpetrating a crime. Many recent cyberattacks against hospitals have originated from third-party technology and other vendors. No organization, including federal agencies, is or can be immune from cyberattacks. Imposing fines or cutting Medicare payments would diminish hospital resources needed to combat cyber crime and would be counterproductive to our shared goal of preventing cyberattacks.
“The AHA will continue to work with the federal agencies and Congress to develop and advance policies to protect patients, data and health care services from cyberattacks.”
OCR Phishing Attack Settlement
Days after the release of the HHS concept paper, OCR announced a settlement with Lafourche Medical Group to resolve the agency’s first investigation based on a phishing attack that affected the electronic protected health information (ePHI) of approximately 34,862 individuals. Lafourche Medical Group reported the cybersecurity breach to OCR in 2021, which concluded that, prior to the phishing attack, Lafourche Medical Group (i) never conducted a HIPAA-required Security Rule risk analysis; and (ii) did not implement procedures to regularly review records of information system activity as required by HIPAA. Lafourche Medical Group will pay $480,000 to OCR and implement a two-year corrective action plan in which it will establish and implement security measures and written policies and procedures and provide HIPAA training to staff members with access to ePHI.
Conclusion
The AHA response above was released shortly after the HHS concept paper, which signaled that while health care organizations would likely welcome additional financial and technical support from the federal government, they will also seek further discussion and clarification regarding the possibility of mandatory cybersecurity requirements, reduced Medicare or Medicaid payments, and HIPAA-related CMPs. These organizations will also likely be interested in how the new HPH CPGs will interact with current cybersecurity standards, especially if the HPH CPGs transition to mandatory obligations in the future.
The OCR phishing attack settlement serves as evidence that OCR is expanding HIPAA investigation and enforcement activities in a manner consistent with HHS’s cybersecurity priorities. In addition to reviewing OCR’s settlement terms and ensuring they have up-to-date policies and procedures, health care organizations can prepare for HHS’s next steps under its action plan by reviewing the agency’s recently published cybersecurity materials, including the Hospital Cyber Resiliency Landscape Analysis.