The Department of Health & Human Services (HHS) released a concept paper outlining its strategy for improving cybersecurity infrastructure within the healthcare sector. The paper calls for proposing healthcare-specific cybersecurity performance goals that will include both minimum foundational practices and advanced goals for cybersecurity performance. By centralizing these performance goals into the Healthcare and Public Health Sector-specific Cybersecurity Performance Goals (HPH CPGs), HHS hopes to provide clear directives for stakeholders. This paper comes on the heels of the White House’s March National Cybersecurity Strategy and HHS’s April 2023 Hospital Cyber Resiliency Landscape Analysis.
HHS initially intends to incentivize the adoption of these performance goals by working with Congress to increase funding, develop incentives, and increase enforcement authority to improve cybersecurity. Specifically, HHS has stated that it will take the following concurrent steps:
- Establish voluntary cybersecurity performance goals for the healthcare sector
- Provide resources to incentivize and implement these cybersecurity practices
- Implement an HHS-wide strategy to support greater enforcement and accountability
- Expand and mature the one-stop shop within HHS for healthcare sector cybersecurity
Notably, HHS will also seek to incorporate the HPH CPGs into existing regulations and programs, including (1) by working with CMS to adopt new cybersecurity requirements for hospitals participating in Medicare and Medicaid; and (2) through proposed updates to the Health Insurance Portability and Accountability Act (HIPAA) Security Rule in Spring 2024. These revisions are notable in that HIPAA’s security standards have not been revised in over 18 years, and hospitals would be subject to compliance surveys from state health departments and The Joint Commission (TJC) pursuant to the Medicare Conditions of Participation for Hospitals.
Bradley will continue to monitor this development and provide updates as HHS moves forward with these implementation strategies.