Biden Administration Issues Cyber Strategy for Health Sector

The U.S. Department of Health and Human Services on Wednesday released a sweeping strategy document outlining how the Biden administration proposes to nudge the healthcare sector into improving its often poor cybersecurity.

See Also: Live Webinar | Cutting Through the Hype: What Software Companies Really Need from ASPM

The strategy includes updating the HIPAA Security Rule in the next year, establishing new cybersecurity requirements for hospitals participating in Medicare and Medicaid programs, setting new voluntary cybersecurity performance goals for healthcare entities – including financial sticks and carrots to implement them – and expanding a “one-stop shop” where healthcare sector entities can tap HHS cybersecurity services and resources.

HHS said its proposed framework is an “introduction” to its cybersecurity strategy for the healthcare sector. The plan supports President Joe Biden’s broader national cybersecurity strategy for critical infrastructure (see: White House Unveils Biden’s National Cybersecurity Strategy).

Hacking incidents at hospitals and medical centers have led to multiweek digital outages that cause disruption to extended care, force the diversion of patients to other facilities and result in canceled procedures, HHS wrote.

“More importantly, they put patients’ safety at risk and impact local and surrounding communities that depend on the availability of the local emergency department, radiology unit, or cancer center for life-saving care.”

Large data breaches tracked through the HHS Office for Civil Rights increased by 93% from 2018 to 2012, and large breaches reported to OCR as involving ransomware increased by 278%.

HHS said that while it can draw on existing authorities to carry out much of the strategy, some proposals will need congressional approval. Late last year, Congress granted the Food and Drug Administration enhanced authority to beef up cybersecurity regulatory requirements for medical devices (see: FDA Finalizes Guidance Just as New Device Cyber Regs Kick In).

Cyber Performance Goals

Although HHS does not detail the cybersecurity performance goals, or CPGs, it proposes for healthcare and public health sector entities, the department said they will include both “essential” goals to outline minimum foundational practices for cybersecurity performance and “enhanced” goals to encourage adoption of more advanced practices.

HHS envisions the establishment of two financial programs to incentivize healthcare entities into implementing the performance goals. That includes an upfront investments program to help high-need healthcare providers, such as hospitals with minimal resources, to cover the initial costs associated with implementing the “essential” cybersecurity measures and an incentives program to encourage all hospitals “to invest in advanced cybersecurity practices to implement ‘enhanced'” CPGs.

Groundwork for some of the HHS proposals has already started. For instance, HHS’ 405(d) advisory cyber task force earlier this year issued updated recommended voluntary Health Industry Cybersecurity Practices, or HICP. Those practices could help serve as the foundation for the CPGs, some experts said.

“These voluntary goals must reflect and leverage the HHS 405d Health Industry Cybersecurity Practices which are available today,” said Ed Gaudet CEO and founder of risk management firm Censinet and a member of the HHS cyber task group.

“Aligning the goals to known practices such as HICP and the NIST Cybersecurity Framework is paramount and the goals need to reflect the work that is already in flight across the ecosystem,” he said.

HHS said it will continue to work with Congress to beef up its HIPAA enforcement activities by increasing civil monetary penalties for HIPAA violations and resources for HHS to investigate potential HIPAA violations, conducting proactive audits, and scaling outreach and technical assistance for organizations with minimal resources to improve their HIPAA compliance.

“In the interim, HHS will continue to investigate potential HIPAA violations,” the document said.

Regulatory Considerations

Potential legislative proposals to help improve cybersecurity in the healthcare sector have already gained some bipartisan support in recent months.

Sen. Bill Cassidy, R-La., ranking member of the Senate Committee on Health, Education, Labor and Pensions, along with Sens. Mark Warner, D-Va.; John Cornyn, R-Texas; and Maggie Hassan, D-NH; last month announced that they had formed a group to examine and propose potential legislative solutions in the HELP Committee jurisdiction to strengthen cybersecurity in the healthcare and public health sector (see: U.S. Senator Seeks Input on Ways to Protect Patient Privacy).

In a white paper released last year, Warner floated the possibility of legislation mandating that organizations that participate in Medicare and Medicaid programs apply minimum security practices as a standard operating procedure (see: A Push for New Healthcare Sector Cybersecurity Legislation).

He proposed an incentive program to encourage healthcare sector entities to invest in cybersecurity, akin to the way the HITECH Act’s meaningful use incentive plan promoted investments by hospitals and doctors in electronic health record systems.

Some privacy and security experts have said the healthcare sector needs to focus extra attention and resources to help fortify its state of cybersecurity.

“HHS is correct in focusing attention on these issues in the healthcare sector,” said privacy attorney Kirk Nahra of the law firm Wilmer Hale.

“At the same time, as HHS says, there are ongoing, multiple, and sometimes conflicting sets of obligations and standards that healthcare companies are being expected to follow,” he said.

Nahra said that while he encourages and supports the idea of providing more resources to health care facilities with fewer resources, “the HIPAA rules are obviously targeted to somewhat different standards for different kinds of entities, but that reasonable regulatory approach can still put patient data at risk.”

He also said he is skeptical of the type of potential updates that HHS might consider for the HIPAA Security Rule. “I am not sure where HHS will go with any future rewrites to the approach of the HIPAA Security Rule, which, while flexible, typically has provided a framework for reasonable compliance activity,” he said.

“I am concerned about a new and broader focus on enforcement,” he added.

While HHS is intent on pushing the healthcare sector into adopting and maintaining stronger cybersecurity practices, so are some state governments.

New York State is issuing new proposed cybersecurity regulations for hospitals, including a two-hour window for reporting major breaches. The state’s proposed rules would come with $500 million in requested funding to help the providers step up their security investments to comply with the new requirements (see: NY State Eyes New Cyber Regs for Hospitals; $500M Price Tag).