HHS Plans to Offer Incentives for Cybersecurity Improvements

Dec. 7, 2023
Health & Human Services also will establish and publish voluntary sector-specific cybersecurity performance goals

Noting that cyber incidents in healthcare are on the rise, the U.S. Department of Health and Human Services has outlined steps it is taking to build cyber resiliency in the healthcare sector, including seeking authority to offer incentive payments to help healthcare organizations improve their cybersecurity practices.

In a new report, HHS said it is establishing voluntary cybersecurity performance goals for the healthcare sector. Currently, healthcare organizations have access to numerous cybersecurity standards and guidance that apply to the sector, which can create confusion regarding which cybersecurity practices to prioritize. HHS, with input from industry, will establish and publish voluntary sector-specific cybersecurity performance goals, setting a clear direction for industry and helping to inform potential future regulatory action from the department. 

HHS said the Healthcare and Public Health Sector-specific Cybersecurity Performance Goals (HPH CPGs) would help healthcare institutions prioritize implementation of high-impact cybersecurity practices. HPH CPGs will include both “essential” goals to outline minimum foundational practices for cybersecurity performance and “enhanced” goals to encourage adoption of more advanced practices. 

Second, HHS said it would provide resources to incentivize and implement these cybersecurity practices  HHS will work with Congress to obtain new authority and funding to both administer financial support for domestic hospital investments in cybersecurity and, in the long term, enforce new cybersecurity requirements through the imposition of financial consequences for hospitals. 

HHS envisions the establishment of two programs: an upfront investments program to help high-need healthcare providers, such as low-resourced hospitals, cover the upfront costs associated with implementing “essential” HPH CPGs, and an incentives program to encourage all hospitals to invest in advanced cybersecurity practices to implement “enhanced” HPH CPGs. 

Another goal is to implement an HHS-wide strategy to support greater enforcement and accountability.

“Funding and voluntary goals alone will not drive the cyber-related behavioral change needed across the healthcare sector,” the HHS report said. “Given the increased risk profile of hospitals, HHS aspires to have all hospitals meeting sector-specific CPGs in the coming years. With additional authorities and resources, HHS will propose incorporation of HPH CPGs into existing regulations and programs that will inform the creation of new enforceable cybersecurity standards.”



CMS will propose new cybersecurity requirements for hospitals through Medicare and Medicaid, and the HHS Office for Civil Rights will begin an update to the Health Insurance Portability and Accountability Act (HIPAA) Security Rule, in spring of 2024, to include new cybersecurity requirements. 

HHS will also continue to work with Congress to increase civil monetary penalties for HIPAA violations and increase resources for HHS to investigate potential HIPAA violations, conduct proactive audits, and scale outreach and technical assistance for low-resourced organizations to improve HIPAA compliance. In the interim, HHS will continue to investigate potential HIPAA violations. 


HHS said it would mature its “one-stop shop” cybersecurity support function for the healthcare sector within the Administration of Strategic Preparedness and Response (ASPR) to more effectively enable industry to access the support and services the Federal Government has to offer. The department said a one-stop shop will enhance coordination within HHS and the Federal Government, deepen government’s partnership with industry, increase HHS’s incident response capabilities, and promote greater uptake of government services and resources such as technical assistance, vulnerability scanning, and more. 

Taken together, HHS believes these goals, supports, and accountability measures can comprehensively and systematically advance the healthcare sector along the spectrum of cyber resiliency to better meet the growing threat of cyber incidents, especially for high-risk targets such as hospitals. 

 

Sponsored Recommendations

Addressing Revenue Leakage in Hospitals

Learn how ReadySet Surgical helps hospitals stop the loss of earned money because of billing inefficiencies, processing and coding of surgical instruments. And helps reduce surgical...

Care Access Made Easy: A Guide to Digital Self Service

Embracing digital transformation in healthcare is crucial, and there is no one-size-fits-all strategy. Consider adopting a crawl, walk, run approach to digital projects, enabling...

Powering a Digital Front Door with a Comprehensive Provider Directory

Learn how Geisinger improved provider data accuracy, SEO, and patient acquisition with a comprehensive provider directory.

Data-driven, physician-focused approach to CDI improvement

Organizational profile Sisters of Charity of Leavenworth (SCL) Health* has been providing care since it originated in the 1600s in France as the Daughters of Charity. These religious...