Healthcare data—the lifeblood of patient care—is under constant threat from cyberattacks. Recognizing this critical vulnerability, the U.S. Department of Health and Human Services (HHS) has rolled out a comprehensive concept paper titled Healthcare Sector Cybersecurity Strategy: Introduction to the Strategy of the U.S. Department of Health and Human Services.
Let's dissect this vital document and see how it aims to shield the healthcare domain from the digital shadows.
1. Shared responsibility
The strategy emphasizes a collaborative approach, urging healthcare providers, technology companies, government agencies, and patients to work together in defense. It's a united front against a common enemy, recognizing that cybersecurity is everyone's business.
2. Risk-based prioritization
Recognizing the resource constraints of many healthcare organizations, the strategy advocates for prioritizing risks based on potential impact. This means directing resources to protect the most sensitive data and critical systems first, ensuring maximum security bang for the buck.
3. Cybersecurity workforce development
The strategy acknowledges the shortage of skilled cybersecurity professionals in healthcare. It proposes initiatives to improve recruitment, training, and retention of these crucial talents, building a robust cyber defense force for the medical field.
4. Incident response and resilience
Knowing that breaches can happen, the strategy focuses on strengthening incident response capabilities and building resilience against attacks. This includes rapid detection, containment, and recovery protocols, minimizing disruptions to patient care.
5. Supply chain security
Healthcare relies heavily on interconnected technology providers. The strategy stresses the importance of securing the supply chain, ensuring that vulnerabilities in one vendor don't cascade into catastrophic breaches for others.
Open communication is key to building trust and fostering collaboration. The strategy encourages increased transparency between healthcare organizations and patients regarding cybersecurity risks and measures taken to mitigate them.
In early December 2023, the HHS issued a press release detailing the concept paper that outlines the Department's cybersecurity strategy for the healthcare sector. According to the release:
The concept paper builds on the National Cybersecurity Strategy that President Biden released last year, focusing specifically on strengthening resilience for hospitals, patients, and communities threatened by cyber-attacks. The paper details four pillars for action, including publishing new voluntary healthcare-specific cybersecurity performance goals, working with Congress to develop support and incentives for domestic hospitals to improve cybersecurity, and increasing accountability and coordination within the healthcare sector.
According to the HHS Office for Civil Rights (OCR), cyber incidents in health care are on the rise. From 2018-2022, there has been a 93% increase in large breaches reported to OCR (369 to 712), with a 278% increase in large breaches involving ransomware. Cyber incidents affecting hospitals and health systems have led to extended care disruptions, patient diversions to other facilities, and delayed medical procedures, all putting patient safety at risk.
"Since entering office, the Biden-Harris Administration has worked to strengthen the nation's defenses against cyberattacks. The health care sector is particularly vulnerable, and the stakes are especially high. Our commitment to this work reflects that urgency and importance," said HHS Secretary Xavier Becerra. "HHS is working with health care and public health partners to bolster our cyber security capabilities nationwide. We are taking necessary actions that will make a big difference for the hospitals, patients, and communities who are being impacted."
"Hospitals across the country have experienced cyberattacks, leading to canceled medical treatments and stolen medical records. Such impacts are preventable. To keep Americans safe, the Biden-Harris Administration is establishing strong cybersecurity standards for healthcare organizations and enhancing resources to improve cyber resiliency across the health sector, including working with Congress to provide financial support for hospitals. Today's announcement by HHS builds on Biden-Harris Administration's work to operationalize smart cybersecurity practices in our nation's most critical sectors, like pipelines, aviation, and rail systems," said Anne Neuberger, Deputy National Security Adviser for Cyber and Emerging Technologies.
"The healthcare sector is experiencing a significant rise in cyberattacks, putting patient safety at risk. These attacks expose vulnerabilities in our health care system, degrade patient trust, and ultimately endanger patient safety," said HHS Deputy Secretary Andrea Palm. "HHS takes these threats very seriously, and we are taking steps that will ensure our hospitals, patients, and communities impacted by cyberattacks are better prepared and more secure."
SecureWorld News has reported on several breaches affecting healthcare organizations over the years, including a few more recent ones, such as a ransomware attack at an Illinois hospital, a ransomware attack at a Barcelona hospital, an attack on Ardent Health Services that shut down three Emergency Rooms, and a December 2023 cyber attack on Fred Hutch, a Seattle-based cancer center, among others.
The HHS's strategy is a crucial step toward a more secure healthcare ecosystem. However, implementing its recommendations is a marathon, not a sprint. Continued dialogue, collaboration, and resource allocation are needed to realize its vision.