A Dec. 6 concept paper outlines the Department of Health and Human Services’ (HHS’) cybersecurity strategy for the health care sector, which includes setting cybersecurity standards and providing resources for hospitals to meet those standards. The concept paper builds on the Biden administration’s National Cybersecurity Strategy released in March.
Amid an increase in cyberattacks that compromise patient safety, expose vulnerabilities in the health care system, and erode patient trust, HHS released the strategy to promote preparedness and security among affected hospitals, patients, and communities.
The paper details four pillars of action for HHS:
- Publish voluntary health care and public health sector cybersecurity performance goals (HPH CPGs). The agency will release HPH CPGs to provide direction to the health care industry on cybersecurity practices.
- Provide resources to incentivize and implement cybersecurity practices. The agency will work with Congress to obtain new authority and funding, including for low-resourced hospitals to cover the upfront costs of making cybersecurity investments.
- Implement an HHS-wide strategy for greater enforcement and accountability. The agency would incorporate enforceable cybersecurity standards into existing programs, including Medicare and Medicaid.
- Expand the Administration for Strategic Preparedness and Response’s coordination role as a “one-stop shop” for health care cybersecurity. The agency plans to improve access and uptake of government support and services and improve HHS’ incident response capabilities.
HHS notes that it will make changes through regulations, such as updates to the HIPAA security rule, to include new cybersecurity requirements.
Contact Director of Policy Rob Nelb, MPH, at rnelb@essentialhospitals.org or 202.585.0127 with questions.