Strengthening Healthcare Cybersecurity: Biden Administration Proposes Minimum Standards

The healthcare industry’s integration of digital systems for managing patient records, delivering care and streamlining operations has been a fundamental aspect of its evolution for over a decade. This transformation, significantly propelled by the Health Information Technology for Economic and Clinical Health (HITECH) Act, has not only reformed healthcare delivery but also heightened the sector’s exposure to cyber threats. These threats compromise the integrity and confidentiality of sensitive health information and have become more sophisticated over time. According to a report from technology review and cybersecurity research firm Comparitech, healthcare organizations faced an average downtime of nearly 14 days, during which they were either shut down or unable to provide services, due to ransomware attacks from 2016 to mid-October of 2023. According to the HHS Office for Civil Rights, there has been a 93% increase in large breaches reported to OCR (369 to 712 from 2018-2022), with a 278% increase in large breaches involving ransomware.

Focus on Cyber Protections

In a recent development, Department of Health and Human Services (HHS) has released a concept paper establishing a comprehensive framework which healthcare organizations must adhere to, fostering a more robust defense against cyber threats. This move comes in response to the escalating frequency and sophistication of cyberattacks targeting healthcare institutions as well as a fulfillment of President Biden’s administration visions to bolster protections to healthcare infrastructure from cyber threats as a part of a larger National Cybersecurity Strategy.

The proposed framework encompasses industry goals, incentives, increased support for healthcare organizations, but also greater enforcement and accountability of HIPAA, which HHS will be updating standards for in the Spring of 2024 as part of their efforts to bolster cyber protections for patients. Increases to civil monetary penalties for HIPAA violations and the resource available to investigate potential violations and conduct “proactive audits” are expected. It is anticipated to be the biggest change to HIPAA since the Breach Notification Rule in 2009 and the Omnibus Final Rule in 2013.

Requirements Create Opportunities and Risks

The Centers for Medicare and Medicaid Services (CMS) will play a pivotal role in creating and enforcing cybersecurity guidelines. Hospitals and healthcare providers participating in CMS programs will be required to adhere to these minimum standards to continue receiving federal funding. This aligns with the administration’s strategy to incentivize cybersecurity measures by tying them to funding, encouraging widespread adoption across the healthcare landscape.

While the proposed standards present a significant step towards strengthening healthcare cybersecurity, they also pose challenges for organizations in terms of implementation and compliance. Healthcare institutions will need to invest in technology, training and personnel to meet these standards.

Risk Management Coordination

RCM&D Healthcare Practice is dedicated to assisting clients through the current and upcoming challenges that the cybersecurity landscape presents. Harnessing our tools and expert insights through the Cyber RiskScript Process, we utilize self-assessments, vulnerability scans, limit modeling and technical consulting to determine our clients’ needs. Secondly, we partner with insurers and third party-cybersecurity firms to monitor and prepare for effective responses to security incidents in order to prevent and mitigate losses. In this ever-changing cybersecurity environment, we are here to provide guidance and support, helping your healthcare organization navigate these complexities with confidence and strategic insight.

Reach out to an Advisor

Talk to a trusted RCM&D advisor today for more on the cyber risks of faced by healthcare organizations.