BLOG

By Nadia Fahim Koster 

The digitization of the healthcare sector has brought with it an escalating series of cyber threats and assaults. This new era of digital healthcare necessitates robust cybersecurity defenses to deal with these challenges.  

The rise in cyber incidents that interfere with patient care has been alarming since 2018. In response to this, and following the guidelines of the National Cybersecurity Strategy implemented by the Biden administration in March 2023, the Department of Health and Human Services (HHS) has introduced its initial plan for Cybersecurity in the Healthcare Sector.  

This blog post aims to highlight the significance of this announcement and emphasizes why Covered Entities and Business Associates must start strategizing to adhere to these guidelines immediately. 

The introductory strategy by the HHS delineates four principal measures to enhance cyber resilience within the healthcare domain. These include: 

1. Setting voluntary cybersecurity objectives for the healthcare sector. 

2. Offering resources that motivate and enable the execution of these cyber security practices. 

3. Developing a strategy across HHS to promote stronger enforcement and accountability. 

4. Enhancing and refining the central hub within HHS for cyber security in the healthcare sector. 

At Meditology, we closely monitored the developments throughout 2023. Given the various activities of HHS and CISA around healthcare and critical infrastructure, we suspected the introduction of a program akin to Meaningful-Use, applying both incentives and penalties in relation to cyber security. This recent announcement from HHS appears to confirm our suspicions. 

Takeaway 1 

HHS aims to establish and publish Cyber Performance Goals specifically tailored for the Healthcare & Public Health Sector (HPH CPGs), with contributions from industry insiders. This initiative's purpose aligns with that of the CISA Cross-Sector CPGs, which is to guide the healthcare sector in prioritizing the implementation of vital cybersecurity practices.  

The plethora of frameworks relevant to healthcare cybersecurity can be overwhelming for cyber risk professionals, particularly in smaller organizations, making it challenging to identify initial steps and coverage areas. It remains unclear how HPH CPGs will distinguish themselves from CISA CPGs or the Health Industry Cybersecurity Practices (HICP). The expectation is that they will reflect the cross-sector CPGs very closely, incorporate the most critical elements from HICP omitted in the CISA CPGs, and further hone the Operational Technology (OT) content, specifically narrowing it down to medical devices, IoT and IoMT, which are more prevalent in the healthcare sector.  

Takeaway 2 

HHS seeks to collaborate with Congress in order to secure the necessary funding for initial investments. These resources would aid "high need" Health Delivery Organizations (HDOs) in covering the cost of adopting the indispensable Health Protection and Promotion (HPP) Clinical Practice Guidelines (CPGs).  

Additionally, performance incentives will be offered for adopting the "enhanced" CPGs. This proposal echoes the previously discussed Meaningful Use (MU) strategy, which many doubted could ever be realized.  

This announcement is indeed a positive development. Cash-limited health systems often face a tough choice between investing in cybersecurity and maintaining patient care and critical operations. This innovative strategy will provide a solution to this dilemma.  

The allure of incentive dollars, as observed with the MU strategy, will motivate all systems to improve their security measures. This win-win situation is one of the most effective ways the federal government can facilitate healthcare systems in enhancing their security protocols. 

Takeaway 3 

HHS plans to intensify its regulatory oversight by updating the HIPAA Security Rule and through CMS, for non-compliance with the CPGs. Regrettably, one cannot have the best of both worlds – with amplified incentives comes heightened enforcement.  

However, this will be beneficial in the long run as it nudges healthcare C-suites and boards to prioritize cybersecurity, a much-needed emphasis in many facets of our industry. The tone of this announcement hints at a potential linkage of compliance with certain HPH CPGs to participation in Medicare and Medicaid. This will surely capture the attention of budget controllers as well as business and clinical decision-makers.  

Additionally, the HIPAA Security Rule has been due for an update for some time. Provided that the updates align with the HPH CPGs and follow the process of incentives first, followed by enforcement, this could bring substantial benefits for all stakeholders.  

What immediate steps should healthcare organizations take in response to this recent declaration?  

While the recent announcement hasn't specified a timeline, with the only date mentioned being the initiation of updates to the HIPAA Security Rule in spring of 2024, healthcare organizations must commence their preparation for the changes immediately.  

Here are some recommended steps: 

• Review the CISA Cross-Sector Cyber Performance Goals and the Health Industry Cybersecurity Practices: The upcoming HPH CPGs will likely incorporate elements from these two publications. Understanding their framework and assessment methods will put you ahead of the curve. 
• Conduct an informal assessment of your organization's readiness: Spend a couple of hours reviewing the CPGs and HICP and contemplating your organization's ability to meet their requirements. The good news is that the CISA CPGs are designed to be in line with the NIST Cybersecurity Framework (CSF), indicating that healthcare organizations already using NIST CSF will not need to drastically alter their strategic plans. 
• Engage third-party experts to assess your cybersecurity control effectiveness: The upcoming CPG requirements will necessitate validation of your cybersecurity defenses by a third-party expert. This can be achieved through penetration tests, incident simulations, or table-top exercises.  
• Plan for more challenging practices: Based on your informal review, start contemplating your approach to more complex practices, such as Vendor/Supplier Cybersecurity Requirements outlined in the CISA CPGs. For organizations without a formal Third-Party Risk Management (TPRM) program, this may be a significant undertaking. 
• Stay alert to new updates from HHS and OCR: As more developments are expected in 2024, it's crucial to stay informed and ready to respond.  

How do vendors in the healthcare sector relate to this scenario? 

The positioning of vendors within the healthcare sector is an important consideration. All entities identified as Business Associates (BA) are likely to be expected to comply with these stipulated requirements. The final iteration of this plan will persist in requiring Business Associates to adhere to HIPAA independently, thereby preventing Covered Entities from bearing the repercussions of BAs who neglect security matters.  

However, even if your organization is not classified as a BA, the prospects of securing interested clients for your products and services could be slim if these Cybersecurity Practice Guidelines (CPGs) are not met. The evaluation of healthcare entities will be based on their ability to meet these CPGs, one of which entails an explicit requirement that compels them to assess their vendors’ security stance.  

This stipulation is important in vendor selection, as it indicates that if two offerings have equivalent cost and function, the more secure option or supplier is favored.  

Conclusion  

The significance of this declaration is profound and far-reaching.  

Discussions about reforming HIPAA, offering incentive payments, and potentially introducing cybersecurity prerequisites for participation in Medicare and Medicaid, are indicative of transformative themes within the industry.  

This proclamation reinforces the notion that cybersecurity is an essential facet of healthcare. Failing to address it with due gravity could potentially harm an organization's business operations and tarnish its reputation. 

For more information or assistance to start strategizing to adhere to these guidelines, please contact us. We are dedicated to ensuring your organization's seamless transition to the latest standards in cybersecurity. 

---

NADIA FAHIM-KOSTER | EXECUTIVE VICE PRESIDENT AND GENERAL MANAGER

Nadia is an industry thought leader and expert in the management of healthcare privacy and security programs. Drawing upon more than 20 years of operational experience as a former CISO and Privacy Officer with two large regional hospital and physician networks in Atlanta, Nadia oversees the firm’s overall operations and delivery mechanisms. She is a sought-after consultant and presenter on privacy, security, and compliance programs that provides a rich and relevant perspective for all of healthcare’s key stakeholders.

Resources 

https://www.hhs.gov/about/news/2023/12/06/hhs-announces-next-steps-ongoing-work-enhance-cybersecurity-health-care-public-health-sectors.html