HHS Cyber Strategy Aims to Provide Relief for Under-Resourced Hospitals

The Department of Health and Human Services (HHS) released a paper outlining its healthcare sector cybersecurity strategy on December 6, paying special attention to underfunded hospitals. This announcement comes at a time when such hospitals are disproportionately affected by cyberattacks and are in severe need of assistance.

HHS refers to the new document as a “concept paper” that highlights the key goals in the department’s healthcare sector-specific cybersecurity strategy, though HHS did not specify when, or if, it intends to release the full strategy.

After recounting HHS’s past and current efforts to tackle healthcare-specific cybersecurity challenges, the new document explains the four lines of effort HHS will pursue to advance cyber resiliency. First, HHS will establish a set of standardized, voluntary sector-specific cybersecurity performance goals, split into “essential” and “enhanced” goals to delineate minimum foundational practices and advanced functions. Second, HHS will work with Congress to provide funding for under-resourced hospitals to cover the costs of implementing “essential” goals and incentives to encourage all hospitals to implement “enhanced” goals.

Third, the department will update the Health Insurance Portability and Accountability Act (HIPAA) to include new cybersecurity requirements and work with Congress to increase civil monetary penalties for HIPAA violations. While HIPAA enforcement is necessary to guarantee the protection of patient data, the fear of heavy HIPAA fines may deter some healthcare providers from reporting cyberattacks to HHS, leaving providers to respond to ransomware and other attacks on their own. And so, recognizing that punitive solutions alone are likely to fail, HHS plans to work with Congress to increase technical assistance for under-resourced organizations to improve compliance with HIPAA privacy regulations.

Lastly, HHS will streamline its cybersecurity support so that healthcare providers have an easier time accessing government services.

These updates are long overdue. The healthcare and public health sector has been disproportionately affected by cyberattacks and suffers from the most ransomware attacks of all 16 critical infrastructure sectors designated by the federal government. Underfunded rural hospitals are the most at risk, as they often face funding shortages that limit their ability to create and maintain robust cybersecurity programs. Cybercriminals readily exploit this, with a 2020 report indicating that 70 percent of cyberattacks were directed at small healthcare providers.

Attacks directed at the healthcare sector can disrupt patient care and ultimately threaten patient health and safety. If executed correctly, HHS’s new efforts could prevent attacks by getting cybersecurity tools and resources to providers who need them the most. The emphasis of the strategy should remain on assisting under-resourced providers, not punishing providers for violations with the new standards.

Congress will need to review HHS’s plans and provide the appropriate funds to implement them. HHS should also seek extensive private-sector collaboration when finalizing its strategy, as insight and expertise from industry are necessary to understand ideal and obtainable sector goals.

Michael Sugden is a research analyst and editorial associate with the Center on Cyber and Technology Innovation (CCTI) at the Foundation for Defense of Democracies (FDD). For more analysis from the author and CCTI, please subscribe HERE. Follow FDD on X @FDD and @FDD_CCTI. FDD is a Washington, DC-based, nonpartisan research institute focusing on national security and foreign policy.