HHS releases cybersecurity strategy for health care sector

Dec 06, 2023 - 03:50 PM
Department of Health and Human Services (HHS) Seal

The Department of Health and Human Services Dec. 6 released a concept paper outlining its cybersecurity strategy for the health care sector, which builds on a national strategy President Biden released last year. The paper calls for proposing new cybersecurity requirements for hospitals through Medicare and Medicaid; publishing voluntary health care-specific cybersecurity performance goals; working with Congress to develop funding and incentives for domestic hospitals to improve cybersecurity; developing enforceable cybersecurity standards; and strengthening the coordination role of HHS” Administration for Strategic Preparedness and Response as a “one-stop shop” for health care cybersecurity.

In a statement, AHA President and CEO Rick Pollack said, “Hospitals and health systems have invested billions of dollars and taken many steps to protect patients and defend their networks from cyberattacks. The AHA has long been committed to helping hospitals and health systems with these efforts, working closely with our federal partners, including the FBI, HHS, Cybersecurity and Infrastructure Security Agency and many others to prevent and mitigate cyberattacks.

“Responding today to HHS’ ‘Concept Paper’ on strategies for enhancing health care cybersecurity, the AHA welcomes the investment of federal expertise and funding in protecting hospital and health system patients from heinous attacks on critical health care infrastructure. However, this fight is largely against sophisticated foreign-based hackers who often work at the permission of and in collusion with hostile nation states. Defeating these hackers requires the combined expertise and authorities of the federal government.

“The AHA cannot support proposals for mandatory cybersecurity requirements being levied on hospitals as if they were at fault for the success of hackers in perpetrating a crime. Many recent cyberattacks against hospitals have originated from third-party technology and other vendors. No organization, including federal agencies, is or can be immune from cyberattacks. Imposing fines or cutting Medicare payments would diminish hospital resources needed to combat cyber crime and would be counterproductive to our shared goal of preventing cyberattacks.

“The AHA will continue to work with the federal agencies and Congress to develop and advance policies to protect patients, data and health care services from cyberattacks.”

Related News Articles

Headline
White House issues executive order addressing cybercrime by threat groups
The White House issued an executive order March 6 to combat cybercrimes by threat groups. The order highlights how such groups can receive willing or…
Headline
ASPR releases cybersecurity module to conduct risk assessments 
The Administration for Strategic Preparedness and Response has released a new cybersecurity module for organizations to conduct risk assessments. The free…
Perspective
Staying Cyber Alert and Cyber Ready
Public
As the world has learned in recent years, today’s conflicts are fought with many weapons, and cyber warfare is an integral part of the arsenal.As of this…
Headline
FBI reminds of potentially malicious activity by Iranian cyber actors
The FBI is reminding critical infrastructure organizations to implement mitigations from a June 2025 fact sheet on potential actions by Iranian-affiliated…
Headline
CISA report updates findings on RESURGE malware attacks
The Cybersecurity and Infrastructure Security Agency Feb. 26 released a report that updates findings from last year on RESURGE malware used to gain covert…
Headline
Agencies issue guidance on exploitation of Cisco systems by cyber actors 
U.S. and international agencies Feb. 25 released guidance on protecting Cisco Software-defined Wide-area Networking systems from exploitation by malicious…