HHS releases cybersecurity strategy for hospitals following uptick in cyberattacks

The US Department of Health and Human Services (HHS) announced on December 6 a series of steps it plans to take to help hospitals and health systems improve their cybersecurity following an uptick in cyberattacks.

The department’s cybersecurity strategy includes providing hospitals with financial incentives to implement best practices. The goal is to prevent future cyberattacks, Anne Neuberger, deputy national security advisor for cyber and emerging technologies, told Healthcare Brew.

“The healthcare sector consistently ranks at the bottom across critical infrastructure sectors by independent surveys on how they’re doing from a cybersecurity perspective,” Neuberger said. “To us, it’s a priority to partner with the sector to help: to make resources available, to make every security device available, to make toolkits available.”

Cyberattacks are up 93% since 2018 and attacks involving ransomware are up 278%, according to an HHS press release. Last month, a cyberattack that affected hospitals owned by Nashville-based Ardent Health Services in multiple states “led to ambulances being turned away, elective services being canceled, and rural clinics closing,” Neuberger said.

To help prevent similar cyberattacks in the future, HHS plans to:

• Publish cybersecurity performance goals to help hospitals prioritize what steps to take to secure their digital systems
• Provide incentives, including financial, for hospitals to implement cybersecurity best practices
• Propose enforceable cybersecurity standards to be incorporated into existing governmental health programs, such as Medicare, Medicaid, and HIPAA rules
• Improve hospitals’ access to the federal government for cybersecurity support

“HHS is working with healthcare and public health partners to bolster our cybersecurity capabilities nationwide,” HHS Secretary Xavier Becerra said in a statement. “We are taking necessary actions that will make a big difference for the hospitals, patients, and communities who are being impacted.”

Cryptocurrency is the primary reason cyberattacks have risen in recent years, Neuberger said. Many cyberattacks, she added, are “financially driven” and involve the attackers asking hospitals to pay a ransom fee to regain access to their digital systems. Bitcoin makes up the vast majority (98%) of ransom payments, according to professional services firm Marsh.

During the pandemic, hospitals were probably not focused on cybersecurity, Neuberger said. But, she said, now is the time to bump it up to the top of the priority list.

“If blood is spilled on the floor [of a hospital], it needs to be cleaned up quickly, in a particular period of time. That’s a sign of a good hospital and an effective hospital,” Neuberger said. “There’s similar practices in the digital domain that hospitals need to be adapting as a routine order of business.”

Neuberger added that it’s urgent for hospitals to “lock their digital doors.”

“While some have taken steps, there’s a lot more that needs to be done,” she said.