HHS’s new ‘voluntary’ cybersecurity initiatives for health care facilities

Health care facilities this year should prepare for new cybersecurity compliance goals from regulators—likely requiring additional investments and posing greater enforcement risks.

The concern is driven in part by a “concept paper” issued last month by the Department of Health and Human Services that paints a broad picture of how regulators could deal with cybersecurity risks in the near future.

The HHS Office for Civil Rights, which carries out HIPAA enforcement, said it tracked a 93% increase in large data breaches from 2018 to 2022, from 369 to 712.

Particularly troublesome have been ransomware attacks, which soared by 278% over the period.

“We’re seeing attacks become much more personal and targeted in ways that threaten employees and disrupt patient care,” said Kimberly Gordy, a partner at Baker & Hostetler and leader of the firm’s digital assets and data management team in Houston.

In a nutshell, HHS wants to establish “voluntary” sector-specific cybersecurity performance goals for health care providers. It would seek funding for under-resourced hospitals to incentivize and implement best practices and offer health providers “one stop” access to technical support.

In return, though, expect greater enforcement and accountability.

Initially, the efforts may bring a degree of confusion, however.

At present, many health care firms rely on HHS’ so-called 405(d) Program, which developed a number of cybersecurity approaches and resources. And last year a task force updated its efforts with hundreds of pages of new guidance, Baker & Hostetler noted in an analysis on the HHS plan last month.

Gordy said she would be “very surprised” if the new guidelines differed greatly from the recognized security practices outlined in the 405(d) guidance, at least initially.

But the law firm noted that “more concern may be warranted” regarding the role of the cybersecurity goals in future regulatory action. For example, will findings of noncompliance with the HIPAA Security Rule result in higher penalties when an organization does not adhere to cybersecurity performance goals. “In other words, is this truly voluntary/?” Baker & Hostelter asked.

“This is a change from the ‘recognized security practices,’ which are intended to serve as a mitigation factor, rather than a basis for penalties,” Gordy said.

Another pillar of the HHS concept paper—helping drum up funding for under-resourced hospitals to implement cybersecurity measures—also raises questions. “This may sound beneficent; however, investment is to be ‘encouraged’ through ‘incentives’ such as ‘imposition of financial consequences for hospitals,’” the law firm noted.

“The nature of such consequences and criteria for their application are left to the imagination.”

On the plus side, HHS assistance to under-resourced hospitals would be a plus, as ”we’re seeing these technical tools becoming increasingly expensive,” Gordy said.

For many hospitals and health care providers, the third rail of HHS’ concept paper is the potential for greater enforcement and accountability.

Related: Biden to HHS: Create an AI task force to keep health care ‘safe, secure and trustworthy’

“HHS acknowledges that funding and voluntary goals alone will not create the change needed across the health care industry,” Lauren DeMoss, a shareholder at Maynard Nexsen, said in a recent client advisory.

DeMoss also noted that the HHS said it expects that civil monetary penalties for HIPAA violations will rise and that the agency’s Office for Civil Rights will update its HIPAA Security Rule to include new cybersecurity requirements.

Moreover, the Centers for Medicare and Medicaid Services plans are expected to impose new cybersecurity requirements for hospitals beginning this spring.

“Based on the HHS paper and observed trends in practice, HHS is going to be very busy on the legislative and enforcement fronts in 2024,” Baker & Hostetler wrote.

“HIPAA-covered entities and business associates should anticipate that cybersecurity regulatory compliance is getting harder and will require greater investment and the consequences for insufficient resourcing and attention will continue to increase risk.”

Gordy said health care facilities need an organization-wide buy-in, including from upper management, in assessing and addressing cybersecurity risk—not just defer to the IT department.

“It’s incredibly important that they view cybersecurity as a team sport,” Gordy said.

Gordy recommends that health care organizations create cross-departmental teams including legal, compliance, IT and other relevant departments—noting the health care industry’s traditionally siloed structure.

Gordy advises clients to update their HIPAA Security Risk Analysis and take steps to align with 405(d). She also recommends reviewing protocols involving vendors as to whether there are safeguards in place such as two-factor authorization and endpoint monitoring.

In recent years a number of hospitals have seen breaches of patient data via third-party contractors through the “Meta pixel,” a piece of code allowing hospitals to track visits to their websites. These include patient-facing portals where patients can schedule appointments and view their medical information.

Facebook is alleged to have collected personally identifiable patient information for its own targeted ads, as many of those patients are Facebook customers—driving a number of patient lawsuits against hospitals nationwide.

For example, in 2022 Partners Healthcare System reached an $18.4 million settlement with patients over tracking pixels that provided such information without patients’ consent.