Biden’s 2025 Proposed $7.3 trillion Budget: $1.4B to Help Hospitals Improve Their Cybersecurity
President Biden recently unveiled the draft 2025 budget, which allocates $1.3B in funding for hospitals to implement the Department of Health and Human Services (HHS) cybersecurity goals, and $144MM for the HHS to bolster their own security measures.
Biden’s focus on aiding hospitals in tackling cybersecurity challenges stems from the escalating prevalence of cyber incidents within the healthcare sector and the potential disruptions these attacks can inflict on patient care. From 2018-2022, there was a 93% surge in large breaches reported to the HHS, with a 278% increase in large breaches involving ransomware. Such incidents have led to prolonged care interruptions, patient diversions to other facilities, and delayed medical procedures, all of which jeopardize patient safety.
The $1.3B allocated for hospital support is divided into two main categories: $800MM is designated for “high-need, low-resourced” hospitals to cover the upfront costs of meeting HHS goals, and $500MM is set aside as incentives for all hospitals to adopt these goals.
To fully appreciate the significance of this $1.4B in proposed funding aimed at enhancing cybersecurity in healthcare, it’s crucial to understand the key components of the HHS cybersecurity strategy.
This blog will explore the HHS plan to address cybersecurity, how the proposed funding will enable the HHS to execute its strategy, and what the budget means for vendor risk management in hospitals.
What is the HHS Plan to Address Cybersecurity Challenges for Hospitals?
In December 2023, the HHS released a concept paper outlining their strategy to help healthcare organizations manage cybersecurity more effectively.
The concept paper identifies the four pillars for action, which we discussed in more detail in a previous blog:
- Establishing voluntary cybersecurity goals for the healthcare sector: HHS will publish Healthcare and Public Health Sector-specific Cybersecurity Performance Goals (HPH CPGs).
- Providing resources to incentivize implementation of these cybersecurity practices: HHS will work with Congress to create mechanisms that encourage hospitals to invest in HPH CPGs.
- Implementing an HHS-wide strategy to support greater enforcement and accountability: With increasing cyber risks at hospitals, HHS envisions a future where all hospitals are required to meet sector-specific CPGs.
- Expanding and maturing the one-stop shop within HHS for healthcare cybersecurity: HHS aims to enhance its cybersecurity support function to better facilitate access to Federal Government support and services.
While the concept paper was an important initial step, several key issues needed clarification for the HHS to effectively implement this strategy, such as the release of the HPH CPGs and clarity on the available funding to incentivize hospitals to adopt HPH CPGs.
What Key Priorities Does the HHS Want Hospitals to Address?
In January 2024, a month after publishing the initial concept paper, the HHS provided more details on the HPH CPG, outlining two types of goals:
- Essential Goals: Intended to help healthcare organizations address common vulnerabilities by establishing a baseline for safeguards against cyberattacks.
- Enhanced Goals: Aimed at helping organizations improve their defenses to a more advanced level.
Essential Goals include:
- Mitigating Known Vulnerabilities
- Email Security
- Multifactor Authentication
- Basic Cybersecurity Training
- Strong Encryption
- Revoking Credentials for Departing Workforce Members
- Basic Incident Planning and Preparedness
- Unique Credentials
- Separating User and Privileged Accounts
- Vendor/Supplier Cybersecurity Requirements
Enhanced Goals include:
- Asset Inventory
- Third Party Vulnerability Disclosure
- Third Party Incident Reporting
- Cybersecurity Testing
- Cybersecurity Mitigation
- Detect and Respond to Relevant Threats and Tactics, Techniques, and Procedures Network Segmentation
- Centralized Log Collection
- Centralized Incident Planning and Preparedness
- Configuration Management
What Does the Budget Mean for Vendor Risk Management?
One of the major challenges hospitals currently face is effectively managing vendor risk. The release of the budget coincides with the healthcare sector grappling with the aftermath of the Change Healthcare data breach. Change Healthcare, a key player in hospital claims processing and payments, processes over 15 billion claims annually. This breach has caused severe operational disruptions, affecting hospitals’ ability to provide patient care and pharmacies’ capacity to administer prescriptions.
This incident underscores the critical role of third parties in the healthcare ecosystem and highlights the importance of effective vendor risk management. Recognizing this, the HHS has made vendor risk management an Essential Goal in their HPH CPG. $800M of the funding is aimed at supporting “high-need, low-resourced” hospitals in implementing vendor risk management programs, while $500M will incentivize other hospitals to adopt similar programs.
How ProcessBolt Can Help
ProcessBolt offers a fully integrated, AI-driven vendor risk management platform that can help hospitals manage vendor risk effectively and efficiently. Our AI-driven platform uniquely enables healthcare organizations to assess and continuously monitor their vendor networks. For hospitals that may lack the resources to manage vendor risk internally, we also offer fully outsourced managed services.
More information will be shared in the coming months about the distribution mechanics of this funding to hospitals for implementing these goals. In the meantime, get in touch with us today to learn more about how we can assist you in successfully implementing this Essential Goal.