The U.S. Department of Health and Human Services (HHS; Washington, D.C.) released a concept paper, “Healthcare Sector Cybersecurity: Introduction to the Strategy of the U.S. Department of Health and Human Services.” The resource outlines four new ongoing steps HHS plans to take to enhance cybersecurity for the healthcare sector.

Cyberattacks in healthcare are on the rise, according to HHS’ Office for Civil Rights (OCR). From 2018-2022, there was a 93 percent increase in large breaches reported to OCR, with a 278 percent increase in large breaches involving ransomware.

To help address these risks, HHS introduced four pillars for action:

  • Publish voluntary Healthcare and Public Health sector Cybersecurity Performance Goals (HPH CPGs). HHS will release HPH CPGs to help healthcare institutions plan and prioritize implementation of high-impact cybersecurity practices.
  • Provide resources to incentivize and implement cybersecurity practices. HHS will work with Congress [first reference correct?] to obtain new authority and funding to administer financial support and incentives for domestic hospitals to implement high-impact cybersecurity practices.
  • Implement an HHS-wide strategy to support greater enforcement and accountability. HHS will propose new enforceable cybersecurity standards, informed by the HPH CPGs. These standards will be incorporated into existing programs, including Medicare and Medicaid and the Health Insurance Portability and Accountability Act Security Rule.
  • Expand and develop a one-stop shop healthcare sector cybersecurity within the Administration for Strategic Preparedness and Response’s (ASPR). This entity will enhance coordination between HHS, the federal government, and the healthcare industry; improve access and uptake of government support and services; and increase HHS’s incident response capabilities.

The concept paper builds on the National Cybersecurity Strategy that President Biden released last year, focusing specifically on strengthening resilience for hospitals, patients, and communities threatened by cyberattacks.

For more information go here.