Doctor working on a laptop showing healthcare cybersecurity and cybersecurity strategy

New Healthcare Cybersecurity Strategy From HHS Sets New Requirements for Medicare and Medicaid Facilities

Some patient care facilities may be facing new healthcare cybersecurity rules, according to a concept paper recently released by the Department of Health and Human Services (HSS). The new direction builds on the National Cybersecurity Strategy released by the Biden administration in March, which had previously indicated HHS would play a more central role in health industry cyber defense and assistance to all types of facilities.

For the moment, it would appear that patient care facilities that are certified for Medicare and Medicaid (the federal health insurance programs for those over the age of 65 or with certain qualifying income or disability conditions) are those that may be directly required to make improvements under the new healthcare cybersecurity rules. The new cybersecurity strategy also proposes a variety of assistance to other facilities, including sending a request for new funding and incentives to Congress.

HHS looks to bolster overall healthcare cybersecurity with federal funding and oversight

As the proposal notes, HHS has already taken a number of steps in consideration of National Cybersecurity Strategy objectives. These have included making updates to the voluntary Health Industry Cybersecurity Practices guidelines, publishing guidance on the protection of sensitive personal information when conducting telehealth sessions, and creating free training modules aimed at small-to-medium organizations that might still struggle with the basics of healthcare cybersecurity.

In terms of new action the Centers for Medicare and Medicaid Services (CMS) will be drafting new rules for Medicare and Medicaid hospitals, and HHS is planning an update to the HIPAA Security Rule (the 1996 order that addresses protection of all sensitive health information stored electronically) to be put in place in early 2024. Work related to HIPAA requires a great deal of Congressional involvement, which HHS plans to seek; the agency has said it will ask legislators to increase penalties for HIPAA violations, and to approve new funding to the HHS Office for Civil Rights (OCR) to conduct healthcare cybersecurity audits and provide technical assistance to under-resourced facilities.

Voluntary healthcare cybersecurity goals are also coming, including an effort to declutter and centralize information about existing guidance under a Healthcare and Public Health Sector-specific Cybersecurity Performance Goals (HPH CPGs) system that would act as a “one stop shop” for facilities in establishing individual cybersecurity strategy. HHS will also go to Congress to seek new authority to establish a financial assistance program for high-need healthcare providers to cover initial costs in meeting HPH CPGs, and to develop an ongoing incentive program for other hospitals to adopt these standards.

Another “one stop shop” initiative is a proposed expansion of the Administration of Strategic Preparedness and Response (ASPR), which would streamline and decomplicate private industry access to various federal support services and programs related to healthcare cybersecurity (such as free vulnerability scanning and technical assistance provided by the likes of CISA).

National cybersecurity strategy continues developing via use of existing federal agency powers

The numerous elements in the healthcare cybersecurity plan that will eventually involve Congress illustrates how difficult it can be for the federal government to establish new standards and requirements that can be applied in a broad way. The approach also demonstrates how the Biden administration has attempted to push faster change to date, by using whatever powers various federal agencies currently hold to act unilaterally within certain sectors and further the objectives of the cybersecurity strategy. The Food and Drug Administration (FDA) recently acted in this area, creating new cybersecurity requirements for medical device manufacturers.

There is clearly a need for quick action of this sort on healthcare cybersecurity, as hospitals have become a favored target of profit-seeking criminals due to a perceived lack of defensive capability and rich troves of personal information. HHS notes that large data breaches in the sector have increased by 93% over the past five years, and ransomware attacks are up a disturbing 278% over that same period. However, the health care industry is not entirely embracing the government’s cybersecurity strategy. A statement from the American Hospital Association president essentially summed up the industry’s position: more funding and freebies from the government are welcome, but hospitals do not want to be held to standards that are at least not also required of their numerous third-party vendors and partners.

In addition to OCR and the FDA the cybersecurity strategy involves The Advanced Research Projects Agency For Health (ARPA-H), which runs the DIGIHEALS project designed to ensure continued patient care in the wake of cyber attacks, and the Office of National Security (ONS) among other agencies and departments.

George McGregor, VP of Approov, draws on personal career expertise to suggest some starting points for the as-of-yet somewhat vague cybersecurity strategy to focus on: “It’s a good thing that the initiative aims to provide financial and technical resources for healthcare providers in combination with enforcement. However this announcement is light on specifics about exactly what the voluntary Cybersecurity Performance Goals may be. Further communication needs to detail these or tie them to guidelines which exist already. The HSS also continues to push for sharing of PII and clinical data between providers as well as third-party apps and services and these developments present security risks to providers. This means that two critical areas which should be addressed directly with enhanced security guidelines for healthcare service providers are the security of APIs such as FHIR (and) the enforcement of protections for mobile apps which access PII:  either owned by service-providers themselves or third-party apps.”

Troy Batterberry, CEO and Founder of EchoMark, additionally notes that the initiative has not addressed certain particular cybersecurity risks: “Once again, these government policy papers fail to fully acknowledge the large and disproportionately growing threat of information breaches done by insiders. Historically, leaks or theft by insiders are some of the most damaging types of information breaches. While conventional insider risk management tools including logging and monitoring activities are important, and must be implemented as soon as possible, we know they do not go nearly far enough to prevent insider leaks and theft. Insider leaks continue to accelerate at well run government and commercial organizations all over the world, even with sophisticated monitoring activities in place. The leaker (insider) simply feels they can hide in the anonymity of the group and never be caught. Sadly, today, many of them are right. An entirely new approach is required to help change human behavior and prevent insider leaks. The best way to do that is to catch leakers which will help deter other leakers in the future. Information watermarking is one such game-changing technology that can help keep private information private.”