Cybersecurity is a critical issue for the health care sector, as cyberattacks can disrupt patient care, compromise sensitive data and endanger lives. In December 2023, the U.S. Department of Health and Human Services (HHS) released a concept paper that outlines its cybersecurity strategy for the health care sector, building on the National Cybersecurity Strategy that President Biden released earlier this year.

HHS included four action steps for cyber resiliency, which are:

• Voluntary Goals: Publishing new voluntary health care-specific cybersecurity performance goals (CPGs), which will provide a common framework for assessing and improving the cybersecurity posture of health care organizations. These CPGs will help healthcare institutions prioritize implementation of high-impact cybersecurity practices.
• Resources: Working with Congress to develop supports and incentives for hospitals to improve cybersecurity, such as grants, tax credits or reimbursement adjustments.
• Enforcement and Accountability: Developing enforceable cybersecurity standards to establish minimum requirements for health care organizations to protect their systems and data from cyber threats, including:
  • New cybersecurity requirements via the Centers for Medicare and Medicaid Services (CMS) for hospitals
  • An update to the Health Insurance Portability and Accountability Act (HIPAA) Security Rule, in spring of 2024, to include new cybersecurity requirements via the HHS Office for Civil Rights (OCR), as well as continued work with Congress to increase resources for investigations into potential HIPAA violations and to increase penalties for HIPAA violations
• Coordinate Information from HHS and the Federal Government: Strengthening the coordination role of HHS’ Administration for Strategic Preparedness and Response (ASPR) as a “one-stop shop” for health care cybersecurity, which will provide guidance, resources, and technical assistance to the sector.

The concept paper also highlights some of the current HHS cybersecurity activities within existing authorities, such as sharing cyber threat information and intelligence, issuing cybersecurity guidance and threat alerts, and conducting cyber exercises and assessments.

HHS’ cybersecurity strategy for the health care sector is a timely and important initiative that aims to enhance cyber resiliency and protect patient safety. By working together with the health care community and other partners, HHS hopes to achieve a more secure and trustworthy digital health ecosystem.

3 Most Important Takeaways for Health Centers

1. OCR will begin to update the HIPAA Security Rule in the spring of 2024 to include new cybersecurity requirements.
2. HHS is looking to increase resources for investigations into potential HIPAA violations.
3. HHS is looking to increase penalties for HIPAA violations.

If you have any questions or need additional support in cyber resiliency or related areas, please contact Compliance and Risk Management Services Manager, Alexander Lipovtsev, at alipovtsev@feldesman.com or 202.466.8960.