Dive Brief:
- The HHS released a working paper this week that outlines its strategy to support cybersecurity in healthcare, including proposing hospital cybersecurity requirements through Medicare and Medicaid and beginning to update the HIPAA rule.
- The paper details steps to improve resilience among healthcare organizations, like establishing voluntary cybersecurity goals for the sector, working with Congress to receive new authority and funding, and adding goals into existing regulations and programs.
- The strategy comes as healthcare organizations face growing threats of cyberattacks that jeopardize patient safety and privacy. The HHS’ Office for Civil Rights found a 93% increase in large breaches reported from 2018 to 2022, and a 278% increase in large breaches involving ransomware.
Dive Insight:
Cyberattacks against healthcare organizations have serious risks for patients, potentially exposing sensitive health data and delaying care.
Ransomware, where criminals demand payment in exchange for restored access to critical files and information, is a key threat to care delivery.
On average, healthcare organizations lost nearly 14 days to downtime — where they were shut down or unable to provide services — due to ransomware attacks from 2016 to mid-October this year, according to a report by technology review and cybersecurity research firm Comparitech.
With the latest working paper, the HHS outlined a strategy aimed at improving healthcare organizations’ resilience to cybersecurity incidents, with the first step focused on developing voluntary industry-specific performance goals. That will help organizations focus on “high-impact” cybersecurity practices and reduce confusion from trying to follow a variety of other guidance, the department said.
The HHS will also push Congress to receive new authority and funding to both provide monetary support and eventually enforce new hospital cybersecurity requirements through financial penalties.
Money and voluntary goals alone won’t drive enough change, the department said. The HHS’ third step focuses on proposing to add healthcare-specific cybersecurity goals into existing regulations, which will inform future standards.
The CMS will propose new cybersecurity requirements for hospitals through Medicare and Medicaid and the HHS’ OCR will begin to update the HIPAA Security Rule in the spring to include new standards.
The American Hospital Association CEO Rick Pollack said the trade and lobbying group welcomes more federal expertise and funding to protect the sector from cyberattacks, but it can’t support mandatory requirements.
“Many recent cyberattacks against hospitals have originated from third-party technology and other vendors. No organization, including federal agencies, is or can be immune from cyberattacks,” Pollack said in a statement. “Imposing fines or cutting Medicare payments would diminish hospital resources needed to combat cyber crime and would be counterproductive to our shared goal of preventing cyberattacks.”
The agency’s strategy comes as healthcare organizations have increasingly become targets of cyberattacks. A Thanksgiving ransomware attack on Ardent Health Services, which runs about 30 hospitals in six states, forced the operator to to reschedule non-emergent procedures and send ambulances to other local facilities.
Another attack at Prospect Medical Holdings, which operates 16 hospitals in several states, earlier this year forced one of its facilities in Connecticut to divert patients for more than two weeks, according to reporting by the Connecticut Mirror.
Editor’s note: This article has been updated to include comments from the American Hospital Association.
