The Department of Health & Human Services (HHS) released a concept paper outlining its strategy for improving cybersecurity infrastructure within the healthcare sector. The paper calls for proposing healthcare-specific cybersecurity performance goals that will include both minimum foundational practices and advanced goals for cybersecurity performance. By centralizing these performance goals into the Healthcare and Public Health Sector-specific Cybersecurity Performance Goals (HPH CPGs), HHS hopes to provide clear directives for stakeholders. This paper comes on the heels of the White House’s March National Cybersecurity Strategy and HHS’s April 2023 Hospital Cyber Resiliency Landscape Analysis.

HHS initially intends to incentivize the adoption of these performance goals by working with Congress to increase funding, develop incentives, and increase enforcement authority to improve cybersecurity. Specifically, HHS has stated that it will take the following concurrent steps:

  1. Establish voluntary cybersecurity performance goals for the healthcare sector
  2. Provide resources to incentivize and implement these cybersecurity practices
  3. Implement an HHS-wide strategy to support greater enforcement and accountability
  4. Expand and mature the one-stop shop within HHS for healthcare sector cybersecurity

Notably, HHS will also seek to incorporate the HPH CPGs into existing regulations and programs, including (1) by working with CMS to adopt new cybersecurity requirements for hospitals participating in Medicare and Medicaid; and (2) through proposed updates to the Health Insurance Portability and Accountability Act (HIPAA) Security Rule in Spring 2024. These revisions are notable in that HIPAA’s security standards have not been revised in over 18 years, and hospitals would be subject to compliance surveys from state health departments and The Joint Commission (TJC) pursuant to the Medicare Conditions of Participation for Hospitals.

Bradley will continue to monitor this development and provide updates as HHS moves forward with these implementation strategies.

Photo of Amy Leopard Amy Leopard

Amy Leopard is a partner and leader in Bradley’s Health Information Technology, Privacy & Security practice. Amy advises clients on complex health IT matters at the intersection of healthcare, technology, and law. She is a Fellow in HIMSS and serves on the Board…

Amy Leopard is a partner and leader in Bradley’s Health Information Technology, Privacy & Security practice. Amy advises clients on complex health IT matters at the intersection of healthcare, technology, and law. She is a Fellow in HIMSS and serves on the Board of the American Health Law Association, where she chaired the AHLA Health IT Practice Group. Amy is nationally ranked in Chambers USA for Healthcare Privacy and Data Security. She is a regular thought leader and is a blog editor for Bradley’s Online and On Point blog.

Photo of Eric Setterlund Eric Setterlund

Eric Setterlund serves as counsel in Bradley’s Healthcare and Cybersecurity and Privacy practice groups. He has extensive experience with matters related to healthcare privacy, security protections and regulatory compliance. Prior to joining the firm, Eric served as chief privacy officer and privacy and…

Eric Setterlund serves as counsel in Bradley’s Healthcare and Cybersecurity and Privacy practice groups. He has extensive experience with matters related to healthcare privacy, security protections and regulatory compliance. Prior to joining the firm, Eric served as chief privacy officer and privacy and data counsel for BlueCross BlueShield of Tennessee. He draws upon his real-world business and program management experience to provide his clients practical advice for complex regulatory and transactional matters.

Photo of Brett Lawrence Brett Lawrence

Brett Lawrence is an associate in the Banking and Financial Services Practice Group who focuses his practice on data privacy and cybersecurity issues, insurance coverage, and other general and professional liability matters. He is a Certified Information Privacy Professional (CIPP/US) by the International…

Brett Lawrence is an associate in the Banking and Financial Services Practice Group who focuses his practice on data privacy and cybersecurity issues, insurance coverage, and other general and professional liability matters. He is a Certified Information Privacy Professional (CIPP/US) by the International Association of Privacy Professionals.