What’s Next for Health Care Cybersecurity?

December 06, 2023

Amid a rise in digital attacks on hospitals and other organizations, the federal government has released its new strategy to protect the health care sector.

Today, the U.S. Department of Health and Human Services (HHS) published a new paper with new strategies to strengthen hospitals, patients, and communities against potential cyberattacks. Cybersecurity has been a growing area of concern across the health care sector, which saw a 93 percent increase in large data breaches from 2018 through 2022.

“The health care sector is particularly vulnerable, and the stakes are especially high,” said HHS Secretary Xavier Becerra. “Our commitment to this work reflects that urgency and importance.”

The plan outlines four key steps to:

• Establish voluntary Health Care and Public Health Sector Cybersecurity Performance Goals that will help health care institutions plan and prioritize implementation of high-impact cybersecurity practices.
• Create and administer financial support and incentives for domestic hospitals to implement high-impact cybersecurity practices.
• Propose new enforceable cybersecurity standards that would be incorporated into existing programs, such as Medicare, Medicaid, and the HIPAA Security Rule.
• Expand the one-stop shop within HHS for health care sector cybersecurity, improving coordination, and increasing HHS’ incident response capabilities.

“The health care sector is experiencing a significant rise in cyberattacks, putting patient safety at risk,” said HHS Deputy Secretary Andrea Palm. “These attacks expose vulnerabilities in our health care system, degrade patient trust, and ultimately endanger patient safety.”

The new paper and the national cybersecurity strategy are available online.

For more information about health care cybersecurity, contact Jason Tomashunas, MS, CHEP, HAP manager, emergency management.

Members of the American Hospital Association (AHA) also are encouraged to avail themselves of the valuable expertise and experience of John Riggi, the AHA’s senior advisor for cybersecurity and risk.