Hospitals can soon expect to see new draft cybersecurity regulations, according to the Department of Health and Human Services (HHS).
The HHS outlined its cybersecurity strategy for the healthcare sector in a concept paper released Wednesday that also described voluntary performance goals. The goals are intended to help the industry prepare for forthcoming enforceable standards, the agency said.
In addition, the Centers for Medicare and Medicaid Services is expected to propose new cybersecurity requirements for hospitals through Medicare and Medicaid, per the HHS.
The HHS’s Office for Civil Rights will draft updates to the Health Insurance Portability and Accountability Act (HIPAA) Security Rule, beginning in spring 2024, to include new cybersecurity requirements for healthcare organizations. The HHS said it will also ask Congress to approve stiffer monetary penalties for HIPAA violations, allow proactive audits, and provide more money for enforcement efforts.
The voluntary performance goals and new standards are designed to push healthcare facilities, hospitals in particular, to better protect patient data in an era when cyberattacks are commonplace, the HHS said. The goals help provide guidance for the industry about what the HHS expects from organizations trying to navigate “numerous cybersecurity standards and guidance,” the agency said.
“Funding and voluntary goals alone will not drive the cyber-related behavioral change needed across the healthcare sector,” the agency said. The HHS said it would add the standards to existing regulations but did not provide a timeline for doing so.
The Biden administration will seek funding from Congress to help lower-resourced hospitals with upfront costs of implementing cybersecurity protections and additional funds to incentivize other hospitals to incorporate the practices, the HHS said. It will also seek funds to help healthcare organizations come into compliance with HIPAA regulations.
The release of the concept paper follows voluntary guidance on cybersecurity practices for health organizations issued last month by the Cybersecurity and Infrastructure Security Agency. The Biden administration issued its national cybersecurity strategy in March.
“[T]he Biden-Harris administration has worked to strengthen the nation’s defenses against cyberattacks,” HHS Secretary Xavier Becerra said in a press release. “The healthcare sector is particularly vulnerable, and the stakes are especially high. Our commitment to this work reflects that urgency and importance.”