Q&A: Are You Checking All the Boxes of the HHS Newest Cybersecurity Plan?

Traffic lights in a city at night

In 2023, 133 million health care records were breached, more than twice the count of 2022 and 2021 combined. At this rate, next year’s numbers could look even more grim—especially following Change Healthcare’s cyberattack in February 2024—what the American Hospital Association deemed the most significant attack on health care in American history. A new federal strategy hopes to achieve its intended goal of cracking down on health care cyber vulnerabilities.

Released in December 2023 by the US Department of Health and Human Services (HHS), the strategy—titled Health Care Sector Cybersecurity—outlines a new path to reinforce cyber defenses in health care. With more specificity than similar guidelines have had in the past, it lays out what health systems should be doing across cybersecurity performance goals (CPG).

Those 20 goals cover a broad range of cybersecurity best practices, from basic ones like email security and multifactor authentication to more advanced activities, such as incident reporting and attack testing.

While they’re all voluntary, they could be tied to significant incentives soon, or even made mandatory in the future. As such, health care executives should ensure their IT teams are preparing accordingly. Is yours?

Our own Brian Conner sat down with Troy Hawes to cover what leaders should know about the new HHS cybersecurity plan.

What’s special about this cybersecurity plan that’s different than HHS’s previous efforts to address health care breaches?

This plan builds upon HHS’s previous efforts, which have included the creation of the wall of shame, as well as other guidelines and trainings. This plan also includes guidance specific to telehealth.

The plan, which is part of the Biden administration’s National Cybersecurity Strategy, is explicit in how it lays out what it expects of health care systems via these 20 CPGs—some are essential, some more advanced.

Read the plan and become acquainted with this initiative to better understand how seriously HHS is taking this as well as implications for your organization.

Why these 20 goals? What’s driving them as the priority?

CPGs were created from other industry-leading cyber best practices, including HICP Technical Volumes 1 and 2, the NIST Cybersecurity Framework 2.0 released February 26, 2024, and NIST 800-66 Revision 2: Implementing the HIPAA Security Rule: A Cybersecurity Resource Guide, released February 16, 2024.

These are common areas of vulnerability and industry experts agree they’re the first- and second-line priorities health care organizations should consider.

What’s the difference between essential and enhanced goals?

The CPGs are split into two different types of goals: essential and advanced.

Essential goals are baseline safeguards intended to protect against attack. Enhanced goals are the next level of defense, intended for more advanced attacks.

Are hospitals and health systems going to be incentivized or penalized?

As of Spring 2024, these are voluntary and will be tied to incentives that require Congressional involvement and are not yet determined. The plan outlines two types of incentives:

  • Upfront investment support to cover essential CPGs for certain high-need health care providers
  • An incentive program to cover enhanced CPGs for all hospitals and health systems

The guidance also alludes to financial penalties in the long term as possibilities—implying these voluntary incentive-based steps might become mandatory and subject to noncompliance or fines in the future.

Additionally, the plan references:

  • A CMS proposal to require cybersecurity activities, meaning reimbursement could be affected if goals are unmet
  • Future modifications to the HIPAA Security Rule in 2024 to include cybersecurity requirements
  • A proposal to weave the CPGs into existing regulations to make them enforceable

For adequate preparation for what’s to come, view these rules as requirements, not just recommendations.

What should health care executives be asking of their IT teams?

Ensure there’s a flow of information coming to you from your IT and information security teams; they should be reporting up their progress, barriers, and current status.

High-level questions to consider include:

  • What’s our cybersecurity maturity? Do we have all the essential steps covered? If not, what will it take to get there?
  • How many incidents are reported and mitigated weekly?
  • Is ransomware testing available to understand vulnerabilities and recovery turnaround?

When should organizations get started on implementing these CPGs?

The best time to implement these CPGs is right now.

Many of these steps can take time, and while the timing of any incentives or penalties is uncertain, it’s better to outline a roadmap to do these things sooner rather than later.

These practices are industry-recognized and reflective of recommended cybersecurity stewardship, so don’t delay.

The runway to implement these changes can vary by health system and their maturity of IT infrastructure and security controls. For the essential rules, it could take just weeks if they already have most of these areas addressed, for others it could be years if they don’t.

Even though the incentives aren’t specified yet, the plan suggests HHS will give upfront investment support for certain hospitals and health systems to address the essential CPGs. Why should these entities put in the effort now if they could wait and be subsidized for those same efforts once incentives are finalized?

We don’t know when the incentives will be available, and cyber criminals and attackers aren’t going to wait. They’ll continue to target health care systems until they find it’s no longer an easy target.

As seen from recent cyberattacks, and especially from the Change Healthcare ransomware attack, a successful attack can take systems down for weeks or even months, costing the hospital and health system millions of dollars to respond and recover, so it makes financial sense to start building a strong cybersecurity posture as soon as possible.

Which CPGs should health systems prioritize?

Prioritize the essential goals first, then look to the enhanced.

Most health systems will already have most of the essential steps addressed in some way, meaning they likely shouldn’t need a start-from-scratch approach.

Beyond that, take a risk-based approach: Know your individual risk and prioritize your known unique vulnerabilities.

How much time do hospitals and health systems have to meet these goals?

Timing hasn’t been specified, only that HHS intends to have all hospitals and health system meeting sector-specific CPGs in the future.

What else do we need to know about this?

Cybersecurity is complex and changing. As technology becomes more sophisticated, so do strategies used by bad actors to exploit vulnerabilities.

This plan isn’t mandatory now, but it could be someday. Regardless, cyberthreats jeopardize patient safety and privacy as well as site resources, revenues, and reputation, so promoting cyber resiliency should be a top priority for hospitals and health systems.

We’re Here to Help

To learn more about cybersecurity planning for your health care organization, contact your Moss Adams professional.

Additional Resources

Related Topics

Contact Us with Questions