The U.S. Department of Health and Human Services (HHS) has recently released a paper that outlines its cybersecurity strategy in healthcare. The paper builds on the National Cybersecurity Strategy that President Biden released last year, focusing specifically on strengthening resilience for hospitals, patients, and communities threatened by cyber attacks.
Cybersecurity is a critical issue for the healthcare sector, as cyber incidents can disrupt patient care, compromise sensitive data, and endanger public health. According to HHS, cyber incidents in healthcare are on the rise. From 2018-2022, there has been a 93% increase in large breaches reported to HHS, with a 278% increase in large breaches involving ransomware. These incidents have led to extended care disruptions, patient diversions to other facilities, and delayed medical procedures, all putting patient safety at risk.
To address these challenges, HHS has proposed a framework that consists of four pillars for action:
- Establishing voluntary cybersecurity goals for the healthcare sector: HHS will work with stakeholders to develop and publish a set of goals that define the desired cybersecurity outcomes for healthcare organizations. These Healthcare and Public Health Sector-specific Cybersecurity Performance Goals (HPH CPGs) goals will be based on existing standards and best practices and will help healthcare organizations measure and improve their cybersecurity posture.
- Providing resources to incentivize the implementation of these cybersecurity practices: HHS will collaborate with Congress to create mechanisms that encourage and enable hospitals to invest in HPH CPGs. HHS envisions that this will consist of two programs. The first is an upfront investments program, to help low-resourced hospitals cover the upfront costs associated with implementing “essential” HPH CPGs. The second component will be an incentives program to encourage all hospitals to invest in cybersecurity practices to implement “enhanced” HPH CPGs.
- Implementing an HHS-wide strategy to support greater enforcement and accountability: Given the increased cyber risk at hospitals, HHS envisions a world where all hospitals are required to meet sector specific CPGs in the coming years. HHS hopes to incorporate HPH CPGs into existing regulations and programs in order to create enforceable cybersecurity standards to promote accountability. As part of this strategy, HHS plans to update the HIPAA Security rule, which will include new cybersecurity requirements. As part of this update, HHS also plans to work with Congress to increase monetary penalties for HIPAA violations and provide HHS with more resources to investigate potential HIPAA violations.
- Expanding and maturing the one-stop shop within HHS for healthcare cybersecurity: HHS will work to enhance its cybersecurity support function to more effectively allow healthcare organizations to access the Federal Government’s support and services. This will increase coordination between HHS and the Federal Government, increase HHS’s incident response capabilities, and deepen the Federal Government’s partnership with the healthcare sector.
You can read the full concept paper here: HEALTHCARE SECTOR CYBERSECURITY
How ProcessBolt Can Help
Vendor risk management is a critical component of a robust cybersecurity program for healthcare organizations. A staggering 60%+ of data breaches originate from third-party vendors. While HHS has yet to outline specific CPGs, HHS writes that vendor management needs adequate attention as a cybersecurity priority in their Health Industry Cybersecurity Practices: Managing Threats and Protecting Patients report. In particular, the HHS highlights the importance of vendor risk management in protecting against attacks against network-connected medical devices.
ProcessBolt offers a fully-integrated, AI-driven vendor risk management platform that uniquely enables organizations to assess and continuously monitor their vendor networks.
Get in touch today to learn more about how we can help you secure your supply chain.