The U.S. Department of Health and Human Services (HHS) recently issued a strategy paper highlighting key aspects of its plan to revamp cybersecurity requirements in the healthcare industry. Citing a 93% increase in large data breaches in healthcare from 2018 to 2022 and a rapid increase in ransomware attacks against U.S. hospitals, HHS issued the strategy as part of a broad effort to implement the Biden Administration’s National Cybersecurity Strategy. As a part of its strategy, HHS is focusing on four primary goals:

1) Establish voluntary cybersecurity performance goals for the healthcare sector;

2) Provide resources to incentivize and implement these cybersecurity practices;

3) Implement an HHS‑wide strategy to support greater enforcement and accountability; and

4) Expand and mature the one‑stop shop within HHS for cybersecurity.

To achieve these goals, HHS highlights several novel approaches. One notable approach includes implementing an investment‑based incentives program to encourage hospitals to invest in advanced cybersecurity practices that satisfy the newly defined Healthcare and Public Health Sector‑specific Cybersecurity Performance Goals. In addition, HHS’s Office for Civil Rights (OCR) will update the Health Insurance Portability and Accountability Act (HIPAA) Security Rule in the spring of 2024 to include new cybersecurity requirements.

HHS plans to work with Congress to increase the amounts of civil monetary penalties for HIPAA violations and to expand its investigative capabilities in the area. The new strategy will draw on the Administration of Strategic Preparedness and Response (a/k/a, ASPR) to streamline this multi‑tiered HHS effort.

Additionally, we expect OCR to continue to use its existing investigative and enforcement powers to “encourage” the healthcare system to take steps to identify and address cybersecurity vulnerabilities along with proactively and regularly reviewing risks and records, and updating policies. For example, on October 31, 2023, OCR announced a $100,000 settlement with Doctors’ Management Services (DMS), a Massachusetts medical management company. DMS was compromised by a ransomware attack that impacted 206,695 individuals. The DMS resolution was OCR’s first ransomware settlement involving a business associate, and signals more ransomware‑related settlements to come.

Photo of Matthew J. Westbrook Matthew J. Westbrook

Matt Westbrook is a senior counsel in the Corporate Department and a member of the Health Care Group. His practice focuses on providing regulatory compliance advice for the Firm’s health care clients, including service providers, health plans, operators, investors, and lenders, among others.

Matt Westbrook is a senior counsel in the Corporate Department and a member of the Health Care Group. His practice focuses on providing regulatory compliance advice for the Firm’s health care clients, including service providers, health plans, operators, investors, and lenders, among others. Matt specifically provides advice on fraud and abuse matters arising under the Federal False Claims Act (FCA), Civil Monetary Penalties Law, Federal Anti-Kickback Statute (AKS), and Physician Self-Referral Law (Stark Law), as well as on the regulations promulgated by the Drug Enforcement Administration (DEA) and the Department of Health and Human Services, including the Office of Inspector General (OIG), Centers for Medicare & Medicaid Services (CMS), and Food and Drug Administration (FDA).

Before joining the Firm, Matt served as senior counsel in OIG’s Administrative and Civil Remedies Branch. At OIG, Matt was responsible for determining whether to impose administrative sanctions, including civil money penalties and Federal health care program exclusions, against health care providers and suppliers, and whether to impose civil money penalties on hospitals and physicians in connection with matters referred to CMS under the Emergency Medical Treatment and Labor Act (EMTALA). During his tenure, Matt also litigated exclusion appeals before administrative law judges and appellate panels of the Departmental Appeals Board; advised United States Attorney’s Offices on exclusions appealed to Federal district courts; resolved voluntary self-disclosures submitted by providers and grant and contract recipients; and participated in the negotiations and settlements of FCA matters by the Department of Justice involving the AKS, Stark Law, CMS reimbursement issues, and DEA and FDA compliance issues. In connection with certain FCA resolutions, Matt also negotiated and monitored corporate integrity agreements.

On the Florida junior circuit and in college, Matt was a competitive tennis player. Matt played on the varsity team and was captain his senior year at Rhodes College, earning ITA Division III and SCAC All-Academic Honor Roll awards his sophomore, junior, and senior years. Matt is an active member of the American Health Law Association (AHLA) and currently serves as a Vice Chair of AHLA’s Fraud and Abuse Practice Group.

Articles:

Matthew J. Westbrook and David M. Blank, “Using OIG’s Cross-Component Audit and Enforcement Data to Strengthen Your Compliance Program,” Compliance Today (February 2024).

Ed Kornreich, Matthew Westbrook, and Angela Gichinga, “Bracing for the Impact of the No Surprises Act,” Westlaw Today (June 16, 2022).

Presentations:

Bill Mathias and Matt Westbrook, “‘Lightning Round’:  A Fraud & Abuse Due Diligence Game Show,” American Health Law Association (Health Care Transactions Conference, May 5–6, 2025).

Matthew J. Westbrook and David M. Blank, “Recent Trends in CMPL Enforcement, American Health Law Association (Webinar, May 24, 2023).

Read more about Matthew J. WestbrookEmail
Show more Show less
Photo of Michael Menconi Michael Menconi

Michael Menconi is an associate in the Corporate Department and a member of the Health Care Group.

Read more about Michael MenconiEmail