HHS wants Congress to fund cybersecurity resilience programs with 'financial consequences' for hospitals

New Medicare program requirements, hospital incentive programs and better internal coordination are all at the heart of the Biden administration’s strategy to bolster cybersecurity within the healthcare industry.

In a concept paper (PDF) released Wednesday, the Department of Health and Human Services (HHS) highlighted a 93% increase in large healthcare data breaches from 2018 to 2022, as well as a 278% increase in those that involve ransomware. HHS said this uptick puts patient safety at risk and necessitates new authority and funding from Congress for department programs focused on cybersecurity.

“Hospitals across the country have experienced cyberattacks, leading to canceled medical treatments and stolen medical records,” Anne Neuberger, deputy national security adviser for cyber and emerging technologies, said in an HHS release. “Such impacts are preventable — to keep Americans safe, the Biden-Harris administration is establishing strong cybersecurity standards for health care organizations and enhancing resources to improve cyber resiliency across the health sector, including working with Congress to provide financial support for hospitals.”

In line with the priorities outlined within the White House’s National Cybersecurity Strategy, HHS’ concept paper outlines four major steps the department will take to advance healthcare cyber resiliency.

  • Establishing voluntary cybersecurity goals for the healthcare sector. These goals will streamline the “confusion” caused by the numerous existing standards and guidances that are currently available to healthcare organizations. The new goals will be developed with input from the industry and include “essential” minimum goals as well as encouragement to adopt other “enhanced” practices.
  • Providing resources to incentivize and implement cybersecurity practices. Here, HHS said it “will work with Congress” to impose financial consequences for hospitals that will drive short- and long-term improvements. This could include an upfront investment program for low-resourced hospitals and an incentives program to encourage adoption across the full hospital sector.
  • Implementing an HHS-wide strategy to support greater enforcement and accountability. The department said it will propose new cybersecurity requirements (informed by the above industry-guided goals) for hospitals through Medicare and Medicaid. Additionally, the HIPAA Security Rule will be updated in spring 2024 to include new cybersecurity requirements, and HHS will tap Congress for greater civil monetary penalties and other enforcement related to HIPAA compliance.
  • Expanding and maturing the “one-stop shop” within HHS for healthcare sector cybersecurity. The department said it will “mature” the healthcare cybersecurity support function within the Administration of Strategic Preparedness and Response (ASPR). This will help “more effectively enable industry to access the support and services the federal government has to offer,” and support coordination within the government itself.  

“The healthcare sector is experiencing a significant rise in cyberattacks, putting patient safety at risk. These attacks expose vulnerabilities in our health care system, degrade patient trust, and ultimately endanger patient safety,” HHS Deputy Secretary Andrea Palm said in a release. “HHS takes these threats very seriously, and we are taking steps that will ensure our hospitals, patients and communities impacted by cyberattacks are better prepared and more secure.”

HHS’ paper also highlighted the cybersecurity-related activities it has and continues to pursue under its existing authorities, such as distributing cyber threat intelligence and technical assistance for achieving regulatory compliance. The department has also published assessments of the current cyber resiliency landscape and circulates best practices and trainings for hospitals.

“HHS is working with healthcare and public health partners to bolster our cybersecurity capabilities nationwide,” HHS Secretary Xavier Becerra said in a statement. “We are taking necessary actions that will make a big difference for the hospitals, patients and communities who are being impacted.”

The administration's strategy drew a guarded response from the hospital industry.

In a statement, American Hospital Association (AHA) President and CEO Rick Pollack said that the sector invests billions into cybersecurity and remains committed to working with federal agencies on prevention and mitigation. 

The organization "welcomes" further monetary and expertise support, with Pollack noting the healthcare sector's uphill battle against "sophisticated foreign-based hackers who often work at the permission of and in collusion with hostile nation states."

On the other hand, Pollack said the AHA "cannot support" mandatory cybersecurity requirements implemented "as if [hospitals] were at fault for the success of hackers in perpetrating a crime," particularly as many recent successful attacks made their way to hospitals via third-party organizations.

"No organization, including federal agencies, is or can be immune from cyberattacks," Pollack said. "Imposing fines or cutting Medicare payments would diminish hospital resources needed to combat cyber crime and would be counterproductive to our shared goal of preventing cyberattacks. The AHA will continue to work with the federal agencies and Congress to develop and advance policies to protect patients, data and health care services from cyberattacks.

Editor's note: This story has been updated with comments from the American Hospital Association.