Following increasing cyber attacks and evolving tactics, the Biden administration has released a concept paper building on the national strategy released last year.
What happened
The six-page document, released on Dec. 6th, focuses on cybersecurity in healthcare and what steps should be taken to address challenges.
According to the HHS, which tracks cyber incidents in healthcare through its Office for Civil Rights, a 93% increase in large breaches was reported between 2018 and 2022. Even more alarming is the 278% increase in large breaches involving ransomware.
The concept paper follows the March release of Biden’s National Cybersecurity Strategy paper, which focused on national security and public safety in various industries. The paper broadly discussed the importance of a robust infrastructure, dismantling threat actors, ensuring resilience, and investing in the future. The administration hopes to provide specific strategies for the healthcare field.
Going deeper
The paper begins by outlining the HHS’s current performance activities, which include sharing threat information to mitigate risk, providing the sector with assistance and guidance, issuing threat alerts and guidance, and publishing healthcare-specific cybersecurity best practices and resources.
The HHS has also released multiple documents, including the Health Industry Cybersecurity Practices, which details the current threats hospitals face. The organization has also released cybersecurity training and telehealth guidance, while the Food and Drug Administration issued guidance for medical device manufacturers.
The document outlined the following four steps to be taken by the HHS:
- Establishing voluntary cybersecurity performance goals in the sector
- Providing resources to incentivize the implementation of these practices
- Implementing an HHS-wide strategy to support enforcement and accountability
- Expanding the one-stop shop within HHS for healthcare sector cybersecurity
What was said
The document states that the healthcare sector is “particularly vulnerable to cybersecurity risks and the stakes for patient care and safety are particularly high.” As Paubox has noticed, healthcare facilities are frequently viewed as “attractive targets for cybercriminals in light of their size, technological dependence, sensitive data, and unique vulnerability to disruptions.”
In response to the paper, the American Hospital Association released a statement citing support of efforts to protect healthcare infrastructure. The statement, released by President and CEO Rick Pollack, further said, “The AHA cannot support proposals for mandatory cybersecurity requirements being levied on hospitals as if they were at fault for the success of hackers in perpetrating a crime.”
The bottom line
As the HHS begins rolling out the Biden Administration’s strategy, we will likely see the release of cybersecurity goals, incentives, and other measures.
While it’s unclear what guidance will be released or how the HHS will hold healthcare organizations accountable, many organizations will have to consider how they can implement new strategies or security measures.
Related: HIPAA Compliant Email: The Definitive Guide
Abby Grifno
