Protecting the healthcare sector from the ever-increasing cyber threat is a matter of national security.  Indeed, on March 1, 2023, President Biden issued the National Cybersecurity Strategy where the President emphasized the need  to defend “the systems and assets that constitute our critical infrastructure [as] vital to our national security, public safety, and economic prosperity.”  Undoubtedly, the healthcare sector is central to the nation’s critical infrastructure, and it remains vulnerable to increasing cybersecurity risks.  The U.S. Department of Health and Human Services (“HHS”) reports a 93% increase in large healthcare sector breaches from 2018 to 2022 with a 278% increase in reported cyber incidents involving ransomware for the same period.  And the ongoing cyber threat is not expected to lighten up anytime soon.  Notably, under HHS supervision, the Federal Government and industry will continue to work together to create a reliable cybersecurity framework to help secure the national healthcare system and protect patients from these rising cyber threats. 

As a spinoff of the National Cybersecurity Strategy, HHS issued a Healthcare Sector Cybersecurity Concept Paper to provide an “overview of HHS’ proposed framework to help the healthcare sector address these cybersecurity threats and protect patients.”  The Concept Paper outlines HHS’s four-part path forward to creating a reliable cybersecurity framework. 

Step 1:  Establish Voluntary Cybersecurity Goals

The first step on the path is HHS’s goal to establish and publish voluntary sector-specific Healthcare and Public Health Sector-specific Cybersecurity Performance Goals (“HPH CPGs”). The intent of the HPH CPGs is to set “a clear direction for industry and helping to inform potential future regulatory action” from HHS to minimize the confusion created from multiple different standards and guidance. The HPH CPGs “will include both ‘essential’ goals to outline minimum foundational practices for cybersecurity performance and ‘enhanced’ goals to encourage adoption of more advanced practices.”

Step 2:  Provide Resources to Incentivize Cybersecurity Practices

To mitigate the extreme cost burden that improving a cybersecurity program entails, HHS will work with Congress to obtain “funding to  administer financial support for domestic hospitals’ investments in cybersecurity.”  HHS intends to establish two programs: (1) the upfront investments program to help high-need healthcare providers with the initial costs to implement “essential” CPGs and (2) an incentives program to encourage hospitals to invest in advanced cybersecurity practices.

Step 3:  Implement an HHS-Wide Strategy to Support Greater Enforcement and Accountability

Of course, with clearer rules, will come more enforcement. HHS will seek to have the CPGs incorporated into existing regulations to establish “new enforceable cybersecurity standards” and ask Congress to increase monetary penalties for violations of HIPAA. HHS’s expectation is that all hospitals will meet those sector specific HPH CPGs, and it will increase enforcement efforts as evidenced by HHS’s requests to Congress for more resources and money to investigate potential HIPAA violations, conduct audits, and scale outreach programs.

Step 4:  Expand and Mature the One-Stop Shop Within HHS for Healthcare Sector Cybersecurity

HHS intends on resourcing its “one-stop-shop” cybersecurity support function to the healthcare sector. This “one-stop-shop” will “[e]nhance coordination within HHS and the Federal Government, deepen government’s partnership with industry, increase HHS’s incident response capabilities, and promote greater uptake of government services and resources such as technical assistance, vulnerability scanning, and more.”

So, what is next for those impacted by HHS’s Concept Paper?  The likely best course is to be proactive now and engage how you can with the path laid out above.  Here are three next steps to consider: 

1. Perform a security risk assessment to drive honest self-reflection on where your organization’s cybersecurity program needs improvement and resources. To ensure objectivity, engaging a third-party security consultant to independently evaluate your organization’s security controls is a best practice. In light of the anticipated increase in enforcement activity, it is important to consider engaging outside counsel to oversee the assessment and provide legal advice with respect to whether your program meets applicable legal and regulatory requirements. By proceeding in this manner, your organization will also be able to assert privilege protection with respect to the assessment findings.
2. Develop a remediation plan and timeline. Based on the findings of your security risk assessment, your organization should work with the security consultants and counsel engaged to develop a prioritized remediation plan and timeline. By methodically checking off your remediation to-do list based on the risks presented by the gaps identified, your organization can show good faith in the event of a data breach and subsequent regulatory investigation.
3. Be a voice in the process.  Use the data you learn from your security assessment, industry experience, and on-the-ground knowledge of the threat landscape to engage with relevant Government and industry leaders on where and how the Government and HHS can best support industry.
4. Talk to your elected officials.  Indeed, as HHS speaks with Congress about funding and resource management, you can complement this goal by speaking with your elected officials to help them shape budgetary (and other) considerations.

Given the race to improve the healthcare sector’s cyber practices, there will likely be many updates over the next year that stem from this Concept Paper.