Thursday, January 11th, 2024
On December 6, 2023, the United States Department of Health and Human Services (HHS) initiated new cybersecurity requirements for hospitals in an effort to protect the healthcare sector from cyber-attacks.
Hospitals and healthcare providers are particularly attractive targets for threat actors due to their size, dependence on technology, and access to data (including sensitive health-related data). Because sophisticated hackers appreciate the massive disruption and harm that an attack could cause to a healthcare provider and their data subjects, ransomware attacks are the weapon of choice for these threat actors. Gentry Locke is an experienced cybersecurity law firm that has data privacy and cybersecurity lawyers who can proactively assist healthcare providers to avoid these costly attacks.
Four New Requirements
HHS reported a 93% increase in large-scale data breaches from 2018-2022, with a 278% increase in ransomware attacks. Not only are cyberattacks on healthcare providers prolific, their consequences can be tragic, with 17% of healthcare cyberattacks leading to physical harm or death.
With the increase of cyber-attacks on healthcare organizations that threaten the safety of patients, HHS recognized a need to expand on the current procedures and resources allocated to the healthcare sector and introduced four measures to improve cybersecurity:
1) Establish voluntary cybersecurity performance goals for the healthcare sector
2) Provide resources to incentivize and implement these cybersecurity practices
3) Implement an HHS-wide strategy to support greater enforcement and accountability
4) Expand and mature the one-stop shop within HHS for healthcare sector cybersecurity
The cumulative effect of these measures is to incentivize compliance, establish tangible standards and benchmarks, provide hospitals with resources for cybersecurity education and implantation, and disincentivize non-compliance by bolstering HHS’s enforcement powers.
To provide guidance for industry, HHS will introduce the Healthcare and Public Health Sector Cybersecurity Performance Goals (HPH CPGs) which will create direct guidelines to promote the use of essential security practices across healthcare facilities.
Further, HHS plans to collaborate with Congress to supply financial support to hospitals through an upfront investment program and an incentives program. The upfront investment program will alleviate the financial burden for low-resourced hospitals to cover the cost of the essential HPH CPGS. The incentive programs will allow all hospitals to implement advanced cybersecurity protocols.
HHS also announced that it is coordinating with Congress to increase civil monetary penalties for Health Insurance Portability and Accountability Act (HIPAA) violations. HHS also plans to initiate “proactive audits” and investigations. These measures will provide the federal government with a tool to ferret out and financially punish non-compliance. Gentry Locke’s cybersecurity attorneys and white collar defense attorneys are experienced in advising and defending entities that find themselves subject to government investigations and enforcement actions.
The HHS Office for Civil Rights (OCR) will update the HIPAA Security Rule in the spring of 2024, including new cybersecurity requirements, which will be subject to greater enforceability, given the implementation of proactive audits and corresponding financial penalties.
Finally, the established internal HHS support system within the Administration of Strategic Preparedness and Response (ASPR) will undergo changes to provide hospitals with a clear resource to report and respond to cyberattacks. HHS also plans to bolster coordination with the Federal Government to expand the availability and use of all available resources.
HHS further signaled its pronounced focus on cybersecurity when HHS OCR announced its first ever settlement under HIPAA’s Security Rule resulting from a phishing cyberattack. OCR’s investigation revealed that a 2021 data breach suffered by Lafourche Medical Group which impacted approximately 35,000 individuals resulted from a failure by Lafourche to conduct risk assessments and identify potential threats and vulnerabilities as required by HIPAA. Under the settlement, Lafourche Medical Group will pay $480,000 in penalties and implement a corrective action plan that will be monitored by OCR for the next two years.
Also on December 6, a healthcare accreditation nonprofit known as the Joint Commission announced a new health data privacy certification program which will train hospitals on protecting patient privacy while transferring the data to third-party organizations for secondary use. The program called the Responsible Use of Health Data Certification, will not only aid the healthcare industry in preventing cyberattacks but will also generate increased trust from stakeholders and patients concerned about the vulnerability of their sensitive health data.
While every sector is at risk of cyberattacks, the healthcare sector continues to be an attractive target for cyber criminals, requiring advanced measures to ensure the safety of patients and efficiency of healthcare facilities. HHS’ new measures to increase cybersecurity will provide healthcare facilities with clear goals, financial support, increased HIPPA penalties and a coordinated system within ASPR to bolster relevant cybersecurity strategies. While cyberattacks on the healthcare system continue to dominate headlines, the hope is that clearer guidance and stronger financial incentives will encourage the healthcare sector to focus on cybersecurity. If you have questions, contact the experienced Criminal & Government Investigations attorneys at Gentry Locke.