On Dec. 6, the Department of Health and Human Services (HHS or the Department) released what it is calling a “concept paper” on its role in cybersecurity for the healthcare sector (the HHS paper).[1] The HHS paper is sweeping in scope, laying out an ambitious vision of future action by the Department designed to address its view of the current state of healthcare cybersecurity. Below, we highlight some of the key takeaways for healthcare sector entities looking to manage security and compliance risk with a forward-looking perspective.
HHS sets the table for its industry approach against the backdrop of the larger healthcare cybersecurity landscape. Citing data from its Office for Civil Rights (OCR), which carries out Health Insurance Portability and Accountability Act (HIPAA) enforcement, HHS notes a 93 percent increase in “large breaches” reported between 2018 and 2022 – including a 278 percent increase in the number of such breaches involving ransomware.[2] The OCR still categorizes a “large breach” as one involving more than 500 individuals, although in reality, multimillion person breaches are becoming increasingly common—in 2023 alone, the BakerHostetler team routinely advised clients on breaches involving over one million patients. These rising numbers, HHS suggests, evidence an increasingly dangerous threat landscape fraught with the potential physical impacts of healthcare security incidents, i.e., disruptions to patient care.
The Department’s Four-Pronged Strategic Vision
In the HHS paper, HHS announces its intention to address the darkening skies of healthcare cybersecurity risk with a four-pronged approach involving: 1) voluntary industry cybersecurity performance goals; 2) resources to support the implementation of practices that will help accomplish these goals; 3) greater enforcement and accountability; and 4) consolidating government industry support resources to increase their effectiveness. concept paper forecasts stormy cybersecurity compliance weather cybersecurity requirements increased enforcement
