The Biden administration’s National Cybersecurity Strategy continues to move forward in fits and starts across assorted federal agencies, this time taking the form of a concept paper from the Department of Health and Human Services (HSS) outlining its coming healthcare cybersecurity plans for the near future.
Hospitals that are certified for Medicare or Medicaid are likely those looking at new regulations in the short term. For other facilities, a lot of voluntary new guidelines and assistance programs are being proposed (though much of this hinges on Congressional authorization of new funding).
Cybersecurity strategy for hospitals calls for rapid action as threats grow
The speed of action of many elements of the cybersecurity strategy is limited by the need to involve Congress, but the administration appears to be moving wherever it can in the meantime. Direct agency action on healthcare cybersecurity of this type has recently come from the FDA, which used existing authority to establish new security standards for medical device manufacturers.
There is also healthcare industry pushback. The primary objection thus far is that any new healthcare cybersecurity rules (and punishments for breaches) should apply equally to third-party vendors, of which hospitals may easily have thousands. The current power of HHS to directly make rules is mostly related to the certification process for approved Medicare and Medicaid hospitals, and some control over HIPAA requirements. It is becoming harder to put off new regulations as serious attacks on patient care facilities mount, however, with a nearly 300% increase in ransomware attacks on hospitals in the past five years and a disturbing trend in seeing emergency rooms shut down and divert patients for as much as several days after systems go offline.
HHS does appear to be attempting to balance new healthcare cybersecurity requirements with new assistance, including an array of financial help for struggling facilities. However, that is yet another portion of the cybersecurity strategy that will require Congressional approval.
Healthcare cybersecurity needs growing with threat environment
Most of the action out of the HHS to date has involved updates to voluntary guidance. The agency is now looking to pair this with incentive systems for adoption of these best practices. They are also looking to make it easier for individual entities to determine exactly what they should be doing in terms of cybersecurity strategy at their particular stage of program maturity (and exactly what regulations apply to them) by way of a new Healthcare and Public Health Sector-specific Cybersecurity Performance Goals (HPH CPGs) that everyone could use as a starting point for relevant healthcare cybersecurity guidance. The agency is also looking to expand the Administration of Strategic Preparedness and Response (ASPR), providing better and more straightforward assistance for private industry looking to access available federal support.
Congress will need to approve funding, but the healthcare providers most in need of help with their cybersecurity strategy might see new money available to aid in meeting these newly established HPH CPGs. HHS would also like to establish financial incentives for other patient care facilities to adopt these standards.