The healthcare industry faces rising cybersecurity risks that threaten patient safety and care. According to the U.S. Department of Health and Human Services (HHS), large healthcare data breaches are up 93% from 2018 to 2022, increasingly involving ransomware. These cyberattacks have disrupted hospital operations and delayed needed care.
To address this growing problem, HHS laid out a strategy centered on four main actions in their December 2023 report:
1. Establish voluntary cybersecurity performance goals for the healthcare sector.
Together, the Healthcare and Public Health Sector aim to create Cybersecurity Performance Goals (HPH CPGs), which will streamline cybersecurity standards and help healthcare organizations prioritize cybersecurity practices.
2. Provide resources to incentivize and implement these cybersecurity practices.
HHS will work with the government to fund and enforce 2 programs: an upfront investments program to help high-need providers, and an incentives program to encourage implementation of HPH CPGs.
3. Implement an HHS-wide strategy to support greater enforcement and accountability.
More than just voluntary action, HHS is working towards incorporating these new cybersecurity standards into regulatory requirements. Specifically, CMS will propose new cybersecurity requirements through Medicare and Medicaid, and the OCR will update HIPAA in spring 2024 to include new cybersecurity requirements. They are also looking to increase monetary penalties for HIPAA violations and new ways to scale their proactive auditing process.
4. Expand and mature the one-stop shop within HHS for healthcare sector cybersecurity.
This pillar aims to deepen government partnership with the healthcare industry and increase HHS’s incident response capabilities.
These action items acknowledge that technology alone cannot secure healthcare data. Continuous training is critical to building an organizational culture of cyber awareness and accountability at all levels. HHS advises healthcare workers to undergo regular phishing simulations, incident response drills, and education on spotting threats. Facilities must ensure their workforce has the knowledge to serve as a key line of defense.
Achieving robust healthcare cybersecurity will require efforts across government, industry, and individual healthcare staff, but the payoff will be safer care delivery shielded from growing digital threats. With diligent training and layered technical controls guided by HHS’s strategy, the healthcare sector can secure data and focus on its most important job – helping patients.