HHS Tells Health Systems: Get Serious About Cybersecurity

By Eric Wicklund

With cybersecurity incidents occurring on an almost-daily basis in the healthcare sector, federal regulators are looking to take a more active role in improving data security.

The Health and Human Services Department has released a new strategy for cybersecurity, centered on four steps aimed at improving the healthcare landscape. The six-page document builds off of the Biden administration’s National Cybersecurity Strategy, which was unveiled last March, and follows recent actions taken by federal agencies to boost security, including the release of healthcare-specific practices and training resources, guidance on medical device security from the U.S. Food and Drug Administration, and new telehealth guidelines from the HHS Office of Civil Rights (OCR).

“The healthcare sector is particularly vulnerable, and the stakes are especially high,” HHS Secretary Javier Becerra said in a release accompanying the strategy. “Our commitment to this work reflects that urgency and importance. HHS is working with healthcare and public health partners to bolster our cyber security capabilities nationwide.”

The information comes at a particularly vulnerable time for the healthcare industry, which has seen an alarming increase in large data breaches and ransomware attacks in recent months. According to the OCR, the industry has seen an almost two-fold increase in large breaches from 2018 to 2022, from 369 incidents to 712, while ransomware attacks have surged 278% in that time.

With that in mind, HHS is planning to take a more active role in pushing the healthcare industry to improve its defenses. The agency plans to:

  1. Establish voluntary cybersecurity performance goals for the healthcare sector;
  2.  Provide resources to incentivize and implement these cybersecurity practices;
  3.  Implement an HHS-wide strategy to support greater enforcement and accountability; and
  4.  Expand and mature the one-stop shop within HHS for healthcare sector cybersecurity.

Of particular note are the financial incentives that the government will be offering to health systems who need help becoming more secure. According to the report, the HHS will be launching a program to help struggling hospitals cover the up-front costs of installing “essential” cybersecurity performance goals (CPGs), and a program that offers incentives for hospitals to invest in advanced cybersecurity practices to implement “advanced” CPGs.

Not everyone is on board with the HHS strategy. Chris Bowen, founder and chief information security officer for ClearDATA, says the industry should get even tougher.

“While a gesture towards progress, [the strategy] falls critically short of what’s imperative in today’s climate,” he said in an e-mail to HealthLeaders. “Suggesting voluntary measures is akin to applying a band-aid on a hemorrhage, it’s time for HHS to enforce rigorous, non-negotiable cybersecurity standards and to provide the necessary resources and mandates.”

“The sector’s talent gap in cybersecurity is no secret, and it places our hospitals at a disadvantage, jeopardizing patient safety,” he adds. “We must look to the strategies of those who have robustly safeguarded healthcare data and replicate their assertive approach. Protecting lives extends beyond the physical realm; it encompasses shielding patients from the lethal threat of cyber-attacks. To accept minimum, voluntary standards is to tacitly endorse a status quo that endangers our patients.”

Eric Wicklund is the associate content manager and senior editor for Innovation, Technology, Telehealth, Supply Chain and Pharma for HealthLeaders.