HHS Releases Voluntary Cybersecurity Goals for the Healthcare Sector

From Healthcare Dive

Dive Brief:

  • The HHS released voluntary cybersecurity goals for healthcare and public health organizations on Wednesday, as the industry grapples with increasing large data breaches and ransomware attacks.
  • The performance goals, broken down into essential and enhanced safeguards, aim to help organizations prevent cyberattacks, improve their response if an incident occurs and minimize remaining risk after security measures are applied.
  • The resources come after the HHS released a concept paper in December, which detailed plans to create hospital cybersecurity requirements through Medicare and Medicaid and eventually update the HIPAA rule.

Dive Insight:

Healthcare data breaches — particularly those stemming from hacking — have risen over the past decade, exposing hundreds of millions of patients’ sensitive personal information or protected health data.

Breaches can be costly for healthcare organizations to manage, but cyberattacks that interrupt hospital operations are also a risk to patient safety.

Ransomware, where criminals demand payment in exchange for restored access to sensitive information and critical systems, can disrupt normal care for weeks.

Ardent Health Services, which runs facilities in multiple states, was hit by a ransomware attack on Thanksgiving, forcing the hospital operator to take its network offline and divert incoming ambulances. Ardent restored access to its electronic health record in early December and fully recovered its patient portal in January.

The new cybersecurity goals from the HHS aim to help healthcare organizations build layered protection against cyberattacks — so if one defense fails, another can serve as a backup — which the agency said is key to building resilience and protecting patients.

“We have a responsibility to help our health care system weather cyber threats, adapt to the evolving threat landscape, and build a more resilient sector,” HHS Deputy Secretary Andrea Palm said in a statement. “The release of these cybersecurity performance goals is a step forward for the sector as we look to propose new enforceable cybersecurity standards across HHS policies and programs that are informed by these CPGs.”

The essential goals, which include safeguards like email security, multifactor authentication and basic cybersecurity training for employees, create a base to help organizations manage common vulnerabilities.

The enhanced protections, like establishing processes to discover and address threats at vendors, separating critical assets into discrete network segments and cybersecurity testing, aim to help health systems mature their defenses.

Hospitals cheered the voluntary goals, with American Hospital Association president and CEO Rick Pollack recommending in an email statement that “all components of the healthcare sector implement these practices including third party technology providers and business associates.”

But the trade and lobbying group has previously argued that mandated cybersecurity standards tied to funding — which media reports suggest could be coming down the pike soon — could remove hospital resources that could be used to shore up their cyber defenses.