New Measures Put Cybersecurity Top of Mind in HHS Implementation Guide

The Department of Health and Human Services’ recent cybersecurity implementation guide is one item outlining key steps that health care organizations can immediately use to help prevent and manage cyber risks.

The guide’s second version was jointly developed in March by the agency’s Administration for Strategic Preparedness and Response (ASPR) and the Health Sector Coordinating Council (HSCC) and is just one of many proactive approaches taken across federal government to help secure systems amid a growing and evolving security landscape.

Since the beginning of the year, the White House has made it a priority to encourage cybersecurity investments in government and industry.

“Too often we’re relying on the individual consumer, small businesses, local and state governments to defend against nation states, and that is an unfair burden we’re putting on the wrong folks,” White House Assistant National Cyber Director Anjana Rajan said during GovCIO Media & Research’s CyberScape: Insider Threats event March 2. “What we need to rebalance is the players that can bear that burden in the public, and private sectors need to do their fair share of cybersecurity.”

With cybersecurity top of mind, HHS’ guide aims to help public and private health care sectors prevent cybersecurity incidents, which happen at an overwhelming rate. According to Check Point Research, cyberattacks have increased by 86% since 2021 in hospitals nationwide — accumulating roughly 1,400 cyberattacks weekly per organization.

“Cyber incidents pose risks to patient data, intellectual property, scientific or laboratory research, medical manufacturing, and ultimately the ability of health care organizations to safely serve their patients,” said HHS Deputy Secretary Andrea Palm in a statement.

Most importantly, cyberattacks in health care have a direct impact on patients and patient care. To prevent putting patient care at risk, the guide recommended that health care organizations implement NIST’s seven-step cybersecurity framework.

“Health care cyberattacks are among the fastest growing type of cybercrime — jeopardizing patient care, damaging the integrity of health care systems and threatening the U.S. economy,” Assistant Secretary for Preparedness and Response Dawn O’Connell said in a statement. “Health care organizations must safeguard their information technology systems to help prevent attacks and create a culture of cyber safety in the health care industry.”

For CMS, its cybersecurity approach strives to ensure it actively identifies, manages and mitigates cyber risks to sensitive data of the 65 million beneficiaries it serves each year. Ultimately, the implementation of the guide provides a roadmap that helps health care facilities assess and close gaps surrounding cybersecurity risks.

“The [cybersecurity framework] also provides guidance on developing a risk-management plan, which can help organizations prioritize and address their most critical risks. This can lead to more effective and efficient use of resources, which can ultimately reduce the likelihood of a successful cyberattack,” a CMS spokesperson told GovCIO Media & Research.

In April, the Cybersecurity and Infrastructure Security Agency (CISA) outlined steps to increase security for technology providers.

“Ensuring that software manufacturers integrate security into the earliest phases of design for their products is critical to building a secure and resilient technology ecosystem,” CISA Director Jen Easterly said in a statement.

Agencies across the board are continuing to make cybersecurity a top priority. While HHS’ implementation guide is only a guide and not a requirement, the public-private partnership behind the guide demonstrates a well-rounded effort to maintaining current approaches to the evolving risks that threaten the health care ecosystem.

“The goal is to maintain the confidentiality, integrity and availability of CMS’ systems and data, so that CMS can continue to serve our beneficiaries with the highest standards of care and service,” a CMS spokesperson said.