The United States Department of Health and Human Services (HHS) released a document in December 2023, outlining a strategic plan to bolster cybersecurity within the healthcare sector. Focused on combating rising cyber threats, especially ransomware attacks on hospitals, the plan centers on Healthcare and Public Health Sector-specific Cybersecurity Performance Goals (HPH CPGs). This summary provides the highlights from the planning document and details how these goals categorize essential and advanced cybersecurity practices, aiming to fortify defenses and protect patient data and critical healthcare infrastructure.
Understanding healthcare cybersecurity
Healthcare cybersecurity protects patient records, networks, and medical devices from cyber threats. The unique challenges include the high value of medical data and the interconnected nature of healthcare networks, making them prime targets for cyberattacks.
Read more: What is cybersecurity in healthcare?
The HHS's approach to healthcare cybersecurity
In the planning document, the HHS has outlined a strategic plan to strengthen cybersecurity in healthcare. The plan revolves around Healthcare and Public Health Sector-specific Cybersecurity Performance Goals (HPH CPGs), categorizing essential and advanced cybersecurity practices.
The HHS aims to support these goals by providing financial assistance for hospitals to adopt essential cybersecurity practices and incentivizing advanced measures. The financial support will encompass an upfront investment program to aid low-resourced hospitals in covering essential cybersecurity costs. Simultaneously, an incentives program will encourage all hospitals to invest in advanced cybersecurity practices.
Additionally, the HHS plans to enforce cybersecurity requirements through Medicare, Medicaid, and potential updates to the HIPAA Security Rule. According to the document, strengthening its cybersecurity support function is also on the agenda to assist healthcare entities in accessing government resources such as technical assistance, vulnerability scanning, and incident response.
Urgency and impact of cyber incidents in healthcare
The HHS states that recent cyberattacks, especially ransomware incidents, have severely disrupted patient care, increased mortality rates among admitted patients, and led to a rise in data breaches. Hospitals facing prolonged outages have had to divert ambulances, cancel appointments, and revert to manual record-keeping, impacting critical care provision.
The escalation in data breaches, particularly involving ransomware, disrupts healthcare services and poses risks to patient safety and confidentiality.
HHS's vision for a resilient healthcare sector
HHS believes its initiatives will systematically elevate the cybersecurity posture of hospitals and the broader healthcare sector. By establishing clear guidelines through HPH CPGs and offering financial support and incentives, HHS aims to promote the adoption of robust cybersecurity measures across all healthcare institutions.
Active engagement and contribution from healthcare stakeholders are crucial to strengthen cybersecurity practices. Through concerted efforts and proactive measures, the healthcare sector can work to ensure uninterrupted delivery of critical healthcare services while safeguarding patient data and safety.
Related: Your cybersecurity strategy is probably lacking
Liyanda Tembani
