HHS releases cybersecurity strategy for health care sector

Dec 06, 2023 - 03:50 PM
Department of Health and Human Services (HHS) Seal

The Department of Health and Human Services Dec. 6 released a concept paper outlining its cybersecurity strategy for the health care sector, which builds on a national strategy President Biden released last year. The paper calls for proposing new cybersecurity requirements for hospitals through Medicare and Medicaid; publishing voluntary health care-specific cybersecurity performance goals; working with Congress to develop funding and incentives for domestic hospitals to improve cybersecurity; developing enforceable cybersecurity standards; and strengthening the coordination role of HHS” Administration for Strategic Preparedness and Response as a “one-stop shop” for health care cybersecurity.

In a statement, AHA President and CEO Rick Pollack said, “Hospitals and health systems have invested billions of dollars and taken many steps to protect patients and defend their networks from cyberattacks. The AHA has long been committed to helping hospitals and health systems with these efforts, working closely with our federal partners, including the FBI, HHS, Cybersecurity and Infrastructure Security Agency and many others to prevent and mitigate cyberattacks.

“Responding today to HHS’ ‘Concept Paper’ on strategies for enhancing health care cybersecurity, the AHA welcomes the investment of federal expertise and funding in protecting hospital and health system patients from heinous attacks on critical health care infrastructure. However, this fight is largely against sophisticated foreign-based hackers who often work at the permission of and in collusion with hostile nation states. Defeating these hackers requires the combined expertise and authorities of the federal government.

“The AHA cannot support proposals for mandatory cybersecurity requirements being levied on hospitals as if they were at fault for the success of hackers in perpetrating a crime. Many recent cyberattacks against hospitals have originated from third-party technology and other vendors. No organization, including federal agencies, is or can be immune from cyberattacks. Imposing fines or cutting Medicare payments would diminish hospital resources needed to combat cyber crime and would be counterproductive to our shared goal of preventing cyberattacks.

“The AHA will continue to work with the federal agencies and Congress to develop and advance policies to protect patients, data and health care services from cyberattacks.”

Related News Articles

Headline
FBI Co-deputy Director Andrew Bailey discusses current cyber and physical threats, rise of AI
FBI Co-deputy Director Andrew Bailey discussed a rise in cyber and physical threats impacting health care. He discussed health care as the top critical…
Headline
FBI: Health care was top target for ransomware, other cyberthreats in 2025 
Health care and public health was the top sector targeted for cyberthreats in 2025, according to the FBI’s latest annual report on internet crimes. There were…
Headline
Alerts warn F5 BIG-IP vulnerability being exploited for malicious activity 
The Cybersecurity and Infrastructure Security Agency released an alert March 27 on a vulnerability in F5 BIG-IP Access Policy Manager software that is being…
Headline
Alert warns of cyber actors using Telegram messaging app to push malware 
The FBI released an alert March 20 warning of a technique used by cyber actors working on behalf of the Iranian government to conduct malicious cyber activity…
Headline
CISA urges organizations to harden endpoint management systems following Stryker cyberattack
The Cybersecurity and Infrastructure Security Agency March 18 released an alert urging U.S. organizations to harden their endpoint management systems following…
Headline
Virtual event to focus on cyber incident response and recovery
The Health Sector Coordinating Council Cyber Working Group and Health-ISAC (Information Sharing and Analysis Center) will host a joint cybersecurity event July…