Standards, Regulations & Compliance
Will Upcoming HHS Cyber Regs Move Needle in Health Sector?
New Minimum Cyber Mandates Expected for Hospitals, But Is That Enough?The Biden administration in coming weeks will issue new regulations aimed at bolstering cybersecurity in the U.S. healthcare sector. Hospitals are expected to be the first entities - at least initially - required to implement new "minimum" mandates based on "cybersecurity performance goals" the Department of Health and Human Services released in January.
See Also: Cyber Insurance Assessment Readiness Checklist
The administration for months has been collaborating with healthcare sector groups and cybersecurity leaders to hammer out the new regulations, which are expected to be issued within weeks, said Deputy National Security Advisor Anne Neuberger during an event in Washington, D.C., this week hosted by news outlet Semafor.
The healthcare sector continues to be one of the most vulnerable of all critical infrastructure sectors to a never-ending rise in threats, she said. "After COVID, it was a difficult time. More systems were rolled in. So, hospitals really do need to focus and double down on security," she said.
Ensuring that hospitals can do a much better job in standing up against cyberthreats that cause serious disruptions to patient care "has really been a priority for the president," Neuberger said at the event.
"We're working on a rule related to minimum security practices for hospitals. We've been working closely with the American Hospital Association to get input from the sector," she said.
Cybersecurity Performance Goals
In January, HHS issued 10 "essential" and 10 "enhanced" cybersecurity performance goals designed to better protect the healthcare sector from cyberattacks (see: HHS Details New Cyber Performance Goals for Health Sector).
While the CPGs were called "voluntary" at the time, HHS' budget proposal for fiscal 2025 released in March includes financial penalties in the form of reduced payments to certain hospitals that fail to meet cybersecurity standards, starting in fiscal 2029 (see: Feds Wave Sticks & Carrots at Health Sector to Bolster Cyber).
The new regulations from HHS in the coming weeks are expected to focus on the "essential" CPGs, to start. Those include best practices and controls such as multifactor authentication and strong encryption.
"The forthcoming mandates are indeed expected to be significant - and we have been preparing our members for years for this moment," said Mari Savickis, vice president of public policy for the College of Healthcare Information Management Executives, a professional association of healthcare CIOs and CISOs.
"A big challenge is making sure that whatever they require actually moves the needle and accomplishes the outcomes we all want to see, which are fewer successful attacks, fewer impacts to patient care and stronger cyber defenses," said Savickis, who was among industry leaders participating in the recent White House symposium hosted by the National Security Council to brainstorm ways of improving healthcare sector cybersecurity.
Hospitals - probably larger ones at least initially - are expected to be the first group to comply with the new requirements, and financial incentives and disincentives from the Centers of Medicare and Medicaid Services are likely to be part of that equation.
But focusing on the more than 7,300 hospitals in the U.S. will not be enough to make a huge leap in cybersecurity maturity for the sector, some experts said.
That's because while ransomware attacks on hospitals have caused turmoil in patient care delivery and pose serious safety concerns, many nonhospitals also have suffered similarly disruptive cyber incidents.
That includes health insurers and third-party vendors - most notably the February cyberattack on UnitedHealth Group's Change Healthcare IT services unit, which bought the sector to its knees in terms of disruption to critical business operations that support patient care (see: Change Healthcare Attack 'Devastating' to Doc Practices).
"Focusing solely on hospitals covers only half the problem," said Greg Garcia, executive director of cybersecurity at the Healthcare and Public Health Sector Coordinating Council, a liaison between the sector's many subsectors and the federal government.
"Third parties like Change Healthcare and many other technology and service providers are vulnerable threat vectors that are not held to a high enough standard of security, particularly as patient safety is at stake," said Garcia, who participated in the recent White House forum.
Other experts agree with that assessment. "Hospitals and providers are just one piece of the pie. If the rest of the healthcare ecosystem does not move forward as well, then we are only solving one piece of a far greater puzzle," Savickis said.
"Importantly, while hospitals can improve their practices, it bears repeating that they rely on tools they purchase from third parties, and their security is outside the control of the hospital. It comes back to cybersecurity being a shared responsibility," she said.
Also, many cash- and resource-strapped hospitals and other healthcare organizations simply don't have deep enough pockets or skill sets to implement critical security practices and controls - even "essential" ones - let alone "enhanced" practices such as cybersecurity testing.
"CHIME supports the need for a set of best cybersecurity practices and standards, but meeting them without funding will present challenges especially for the smaller and under-resourced hospitals," Savickis said.
Balancing Act
Sector leaders are trying to hash out some of these finer details, Neuberger said. "What are the policies the government needs to put in place? What are the policies that are burdensome that we can do better about?"
The HHS fiscal 2025 budget proposal includes $1.3 billion in financial help, such as grants, for hospitals to invest in cybersecurity over the next several years. That "is a start," Garcia said. "But using a punitive CMS stick that withholds a portion of reimbursement for noncompliance will be difficult to enforce and an additional stressor on underserved providers. The focus on underserved provider compliance with scarce resources can be a drain on actually implementing security."
"Many of the attacks against healthcare are sophisticated attacks," said Anahi Santiago, CISO of ChristianaCare and a participant at the White House forum.
"The CPGs are a great baseline for organizations to mature their information security programs and necessary foundations to improve an organization's security posture, however, they can't guarantee an organization's ability to fend off the types of attacks seen in our industry," she said.
"I see the CPGs as a great area of focus for organizations that are struggling with where to invest in people, process and technology, but acknowledge that for many underserved organizations, it's still going to be difficult to implement."
To help address some of the concerns of under-resourced entities, the White House, in collaboration with the AHA, forged a partnership with Microsoft and Google to provide for a limited-time free training and cybersecurity tech for the nation's 1,800 rural hospitals (see: Microsoft, Google Offering Cyber Help to Rural Hospitals).
"Those hospitals really are the only ones in the surrounding area, so if they're hit by a cyberattack, Americans don't have access to healthcare," Neuberger said.
But the recently announced cyber training from Google and Microsoft - two tech giants that do not specialize in healthcare - is not likely to be effective over time, especially as the free or discounted help ends after just one year, Garcia said.
"What happens after that? There is also some bemusement in the community that the White House is promoting the business interests of big tech in healthcare, while there are numerous specialty firms led by former healthcare CISOs that provide healthcare cybersecurity services exclusively," he said.
Garcia said that while the CPGs are generally the right approach for better cybersecurity, "they constitute only the 'what' in 'what needs to be done.'" The HSCC is helping providers and other health industry stakeholders plan for the "'how' - how to do it and organize around it," he said.
The Health Industry Cybersecurity Practices published jointly by HSCC and HHS in 2023 is an example of the "how," Garcia said.
"If the White House wants to move the needle, they'll need to push on HICP adoption and get behind the HSCC five-year Health Industry Cybersecurity Strategic Plan, which lays out a wellness plan across the sector with a broad spectrum of cybersecurity strategies to get us to stable condition by 2029," he said (see: HSCC Issues Cyber 'Call to Action' Plan for Health Sector).
"We believe generally that the collaboration between HHS and the 400-plus healthcare organizations in the HSCC is beginning to see real traction in terms of operational and policy alignment, and the White House should support that partnership rather than putting its finger in the dike."
HHS declined Information Security Media Group's requests for comment, saying that it does not comment on pending rule-making.
The AHA also did not immediately respond to ISMG's request for comment.
State Efforts
While the federal government works on establishing new healthcare sector cybersecurity regulations, at least one state already has a head start on writing its own cyber requirements for hospitals (see: NY State Eyes New Cyber Regs for Hospitals; $500M Price Tag).
New York state in December published proposed draft cyber regulations for "general hospitals," which then underwent a 60-day period of public comment. The state's Department of Health made amendments and published revised rule-making on May 15, which is currently undergoing a public comment period scheduled to close on July 1, a spokeswoman for the state DOH told ISMG.
"After this current public comment period closes, the Department will once again assess all of the comments before bringing the regulation back to the Public Health and Health Planning Council for final approval and adoption. Once adopted, hospitals will have a year to come into compliance with the new regulations."
"Under Governor Kathy Hochul's leadership, New York State has significantly enhanced its cyber defenses, which are critically important to our health care system," said New York State Health Commissioner Dr. James McDonald in a statement to ISMG. "When we protect hospitals, we protect patients. These nation-leading cybersecurity hospital regulations build on the Governor’s state of the state priority by helping protect critical systems from cyber threats and ensuring New York’s hospitals and health care facilities stay secure."
The latest proposed New York State cyber regulations for hospitals include a long list of requirements ranging from conducting risk assessments to implementing multifactor authentication.