HHS proposes new cybersecurity requirements for hospitals through HIPAA, Medicaid and Medicare

The United States Department of Health and Human Services (HHS) said it is planning to take a range of actions in an effort to better address cyberattacks on hospitals, which have caused dozens of outages across the country in recent months.

First reported by Politico, HHS published a planning document on Wednesday that outlines several voluntary and potentially mandatory actions hospitals will need to take.

HHS said it is seeking comment on proposals that would see new cybersecurity requirements for hospitals pushed through Medicare and Medicaid programs, ostensibly tying federal payments to baseline standards. A similar concept has been floated by HHS Deputy Secretary Andrea Palm and Sen. Mark Warner (D-Va.), according to Politico.

“Funding and voluntary goals alone will not drive the cyber-related behavioral change needed across the healthcare sector,” the planning document explained.

“Given the increased risk profile of hospitals, HHS aspires to have all hospitals meeting sector-specific Cybersecurity Performance Goals (CPGs) in the coming years.”

In addition to adding cybersecurity requirements to Medicare and Medicaid, HHS floated potential updates to the Health Insurance Portability and Accountability Act (HIPAA) Security Rule in the spring of 2024 that would also include new cybersecurity requirements.

HHS said it is planning to work with Congress on increasing civil monetary penalties for HIPAA violations and expanding their resources so they can investigate more potential HIPAA violations, conduct audits and provide more technical assistance.

The plan comes as hospitals continue to face near-relentless attacks from ransomware gangs that have caused weeks-long outages and have forced ambulances to be diverted and appointments to be canceled. Multiple healthcare facilities have been forced to revert back to paper and pad while being unable to access patient record systems.

A study from University of Minnesota researchers released in October found that ransomware incidents increased the in-hospital mortality for patients admitted to attacked hospitals. The researchers estimate that from 2016 to 2021, between 42 and 67 Medicare patients died as a result of the outages caused by ransomware attacks.

The researchers behind the study said the true number of deaths caused by ransomware attacks “is likely even larger, when you include patients with other types of health insurance coverage.”

Outages and breaches

In addition to the immediate effects of ransomware attacks, the information stolen by hackers during incidents has long-term effects on victims.

Through the Office for Civil Rights (OCR), HHS tracks large data breaches and has found a 93% increase in large breaches reported from 2018 to 2022 (369 to 712), with a 278% increase in large breaches reported to OCR involving ransomware from 2018 to 2022.

HHS confirmed that these kinds of cyber incidents continue to cause “extended care disruptions caused by multi-week outages; patient diversion to other facilities; and strain on acute care provisioning and capacity, causing canceled medical appointments, non-rendered services, and delayed medical procedures (particularly elective procedures).”

“More importantly, they put patients’ safety at risk and impact local and surrounding communities that depend on the availability of the local emergency department, radiology unit, or cancer center for life-saving care,” HHS said.

Just this week, a ransomware gang took credit for an attack on Tri-City Medical Center — which forced the San Diego hospital on November 9 to take its systems offline, halt elective procedures and take other actions in light of the damaging attack. The hospital was only able to return to full functionality on December 2.

Ransomware attacks on Capital Health, Ardent Health Services and Prospect Medical Holdings this year left dozens of hospitals scrambling to provide patient care amid near-catastrophic technology outages.

Recorded Future — the parent company of The Record — reported at least 19 ransomware attacks on healthcare facilities last month and steep increases in incidents throughout 2023.

Carrots and sticks

The department said that so far, it has vastly expanded its efforts to share cyber threat information and intelligence with the entire sector to help mitigate risk. They provide technical assistance, guidance and resources to help healthcare facilities protect patients and medical devices.

The most recent efforts and plans are being built off of the 2023 Hospital Cyber Resiliency Landscape Analysis conducted in the wake of the release of the National Cybersecurity Strategy — which ordered sector management agencies like HHS to use every tool available to increase cybersecurity protections.

HHS plans to now establish voluntary cybersecurity performance goals for the healthcare sector, incentivise better cybersecurity practices and implement an HHS-wide strategy to support greater enforcement and accountability. HHS also wants to further expand and mature its own cybersecurity resources.

“HHS will work with Congress to obtain new authority and funding to both administer financial support for domestic hospital investments in cybersecurity and, in the long term, enforce new cybersecurity requirements through the imposition of financial consequences for hospitals,” they said.

“HHS envisions the establishment of two programs: An upfront investments program, to help high-need healthcare providers, such as low resourced hospitals, cover the upfront costs associated with implementing ‘essential’ CPGs, and an incentives program to encourage all hospitals to invest in advanced cybersecurity practices to implement ‘enhanced’ CPGs.”

The agency is hoping that with more authority and resources, they will eventually be able to integrate CPGs into existing regulations that will “inform the creation of new enforceable cybersecurity standards.”

“Taken together, HHS believes these goals, supports, and accountability measures can comprehensively and systematically advance the healthcare sector along the spectrum of cyber resiliency to better meet the growing threat of cyber incidents, especially for high-risk targets like hospitals,” they said.