HHS Proposes New Cybersecurity Requirements for Hospitals Through HIPAA, Medicaid and Medicare


The U.S. Department of Health and Human Services (HHS) said it plans to take a series of steps to better address cyberattacks on hospitals, which have caused dozens of outages across the country in recent months.

First of all reported by Politico, HHS released a planning document Wednesday, which outlines several voluntary and potentially mandatory actions hospitals will need to take.

HHS said it was seeking comment on proposals that would see new cybersecurity requirements for hospitals imposed through the Medicare and Medicaid programs, ostensibly tying federal payments to baseline standards. A similar concept was floated by HHS Deputy Secretary Andrea Palm and Sen. Mark Warner (D-Va.), according to Politico.

“Funding and voluntary targets will not be enough to drive the necessary behavioral change in the healthcare sector around cybersecurity,” the planning document explains.

“Given the increased risk profile of hospitals, HHS aspires to have all hospitals meet sector-specific Cybersecurity Performance Goals (CPGs) in the coming years. »

In addition to adding cybersecurity requirements to Medicare and Medicaid, HHS launched potential updates to the Health Insurance Portability and Accountability Act (HIPAA) security rule in spring 2024 that would also include new cybersecurity requirements .

HHS said it plans to work with Congress to increase civil monetary penalties for HIPAA violations and to expand its resources so it can investigate more potential HIPAA violations, conduct audits, and provide more information. ‘technical assistance.

The plan comes as hospitals continue to face near-relentless attacks from ransomware gangs that have caused weeks-long outages and forced the diversion of ambulances and the cancellation of appointments. Many healthcare facilities have been forced to revert to paper and notepads while being unable to access patient record systems.

A study led by researchers at the University of Minnesota released in October found that ransomware incidents increased in-hospital mortality of patients admitted to attacked hospitals. Researchers estimate that between 2016 and 2021, between 42 and 67 Medicare patients died from outages caused by ransomware attacks.

The researchers behind the study said the actual number of deaths caused by ransomware attacks “is likely even higher when including patients with other types of health insurance coverage.”

Breakdowns and violations

In addition to the immediate effects of ransomware attacks, information stolen by hackers during incidents has long-term effects on victims.

Through the Office for Civil Rights (OCR), HHS tracks large data breaches and has seen a 93% increase in reported significant breaches between 2018 and 2022 (369 to 712), with an increase of 278 % of significant breaches reported to OCR involving ransomware from 2018 to 2022.

HHS confirmed that these types of cyber incidents continue to cause “prolonged care interruptions caused by outages lasting weeks; diversion of patients to other facilities; and pressures on acute care provision and capacity, leading to canceled medical appointments, services not rendered, and delays in medical procedures (particularly elective procedures).

“More importantly, they endanger patient safety and impact local and surrounding communities who rely on the availability of the local emergency department, radiology unit or cancer center for life-saving care ” said HHS.

This week again, a ransomware gang took the credit for an attack on the Tri-City Medical Center – which strength San Diego Hospital on November 9 to take its systems offline, halt elective procedures and take other actions in light of this devastating attack. The hospital was only able to return to full functionality on December 2.

Ransomware attacks against Health of the capital, Ardent Health Services And Prospect Medical Holdings This year, dozens of hospitals have struggled to provide patient care amid near-catastrophic technology failures.

Recorded Future – the parent company of The Record – reported at least 19 ransomware attacks against healthcare facilities last month and a sharp increase in incidents throughout 2023.

Carrots and sticks

The ministry said that so far it has significantly increased its efforts to share information and intelligence on cyber threats across the industry to help mitigate risks. They provide technical assistance, guidance and resources to help healthcare organizations protect patients and medical devices.

The latest efforts and plans build on the 2023 hospital cyber resilience landscape analysis conducted following the release of the National Cybersecurity Strategy – which directed sector management agencies as HHS to use all available tools to increase cybersecurity protections.

HHS now plans to establish voluntary cybersecurity performance goals for the healthcare sector, encourage better cybersecurity practices, and implement an HHS-wide strategy to support better enforcement and greater responsibility. HHS also wants to develop and evolve its own cybersecurity resources.

“HHS will work with Congress to obtain new authority and funding to both administer financial support for national hospital investments in cybersecurity and, in the long term, enforce new cybersecurity requirements by imposing financial consequences to hospitals,” they said.

“HHS is considering two programs: an initial investment program, to help health care providers in need, such as low-resource hospitals, cover upfront costs associated with implementation “essential” CPGs, and an incentive program to encourage all hospitals to invest. in advanced cybersecurity practices to implement “enhanced” CPGs.

The agency hopes that with more authority and resources, it can eventually integrate CPGs into existing regulations that will “inform the creation of new enforceable cybersecurity standards.”

“Taken together, HHS believes that these goals, supports, and accountability measures can comprehensively and systematically advance the health sector across the cyber resilience spectrum to better respond to the growing threat of cyber incidents, especially for high-risk targets like hospitals,” they said. .

Get more information with the

Future saved

Intelligence cloud.

Learn more.

No previous articles

No new articles

Jonathan Greig

Jonathan Greig is a breaking news reporter at Recorded Future News. Jonathan has worked as a journalist around the world since 2014. Before returning to New York, he worked for media outlets in South Africa, Jordan and Cambodia. He previously covered cybersecurity at ZDNet and TechRepublic.

Leave a comment