How HHS has strengthened cybersecurity of hospitals and health care systems
Hospitals and health systems across the country are experiencing a significant rise in cyberattacks. These cyber incidents have caused extended disruptions, patient diversion to other facilities, and the cancellation of medical appointments and procedures — all of which undermine patient care and safety. These attacks also expose vulnerabilities in our health care system and degrade patient trust. The more they happen, and the longer they last, the more dangerous and expensive they become.
From the onset, the U.S. Department of Health and Human Services has been clear-eyed about the need for aggressive action, working hand-in-glove with hospitals and health care systems to create sustainable, actionable policies that improve cyber resiliency across the health sector. Over the past four years, HHS has taken numerous steps to deal with the growing increase of cyberattacks on our hospitals and health care systems. The actions taken fall under three categories: policy and regulation, resources, and sector coordination.
In the first category, we developed and executed a department-wide strategy to increase enforcement and accountability in the sector, which outlined voluntary cybersecurity performance goals. These CPGs help health care organizations prioritize the implementation of high-impact cybersecurity practices to better protect the sector from cyberattacks, improve response when events do occur, and minimize risk.
As part of this, HHS provided updates to the HIPAA Security Rule, which provides new cybersecurity requirements that all HIPPA-covered entities and their associates must follow. The rule would help ensure that doctors, health plans, and others providing health care meet their obligations to protect the security of individuals’ protected health information. The Food & Drug Administration implemented new pre-market cybersecurity requirements for all new medical devices. And the Centers for Medicare and Medicaid Services took steps to enhance cybersecurity among payers, clearinghouse, pharmacy switches, and clinical laboratories.
Second, we identified new resources to help small and under-resourced organizations implement cybersecurity practices. In 2024, HHS announced $240 million in hospital preparedness funding with a significant focus on cybersecurity. In addition to this downpayment on our cybersecurity preparedness, ARPA-H is investing more than $50 million in new technology to improve the patching of security vulnerabilities. We are also aware that cyber incidents can impact our providers, so CMS established infrastructure to advance payments to ensure hospitals remain solvent in the event billing services are halted. As part of the effort to incentivize and help hospitals implement the best high-impact cybersecurity practices, HHS released a $1.3 billion-dollar legislative proposal to fund programs through Medicare. This funding, if appropriated, would enable hospitals to upgrade legacy technology, build and improve vulnerability management programs, and mitigate their third-party risks.
Third, the Administration for Strategic Preparedness and Response is working to improve cybersecurity coordination within HHS and the federal government, deepen HHS and the federal government’s partnership with industry, improve timely information-sharing and incident response activities, and increase uptake of government support and services. This includes our ongoing efforts at HHS to build out a one-stop shop for health care sector cybersecurity.
In addition to these large-scale efforts, we’ve also provided immediate resources — including free cyber awareness training to help employees understand best practices — and released the first-ever nationwide cybersecurity risk-mapping exercise for the health care sector to identify key vulnerabilities across critical functions of the system.
While this list is far from exhaustive, it captures some of the significant work undertaken by the Biden administration these past four years. But the work is far from over. Cyberattacks can have devastating impacts on patient safety and care, making cybersecurity of critical importance to our national security. Health care cybersecurity is an issue ripe for bipartisanship. We hope and anticipate the next administration shares this belief and continues to work across the aisle to find commonsense, sustainable solutions for this pressing issue.
For a cybersecurity strategy in the health care sector to be successful, there are few lessons that policy officials and lawmakers must keep in mind:
We must invest in our under-resourced and rural organizations. It is clearer than ever that our entire health care system needs to elevate its cybersecurity. As Congress deliberates cybersecurity legislation, and as cybersecurity resources further develop for the sector, our government must ensure that our smaller, under-resourced organizations improve their cyber resiliency, whether that be through direct funding or technical assistance centers.
We must utilize artificial intelligence to help guide organizations. The use of AI models in health care will continue to expand as organizations continue to integrate this technology into their operations. With this reality, it is imperative that HHS continue to help build the resources and guidance necessary to help health care organizations assess the security implications of new AI tools.
We must maintain a sector-wide approach to cybersecurity. It is not enough to secure only our hospitals and medical devices — health care, more than any other critical infrastructure sector, relies on thousands of interconnected technologies and organizations to function. HHS must continue to be vigilant in assessing and mitigating risks everywhere, whether that be in medical clearinghouses, public health departments, e-prescribing software, or delivery networks of critical medical supplies. Because of this interconnectedness, every part of the ecosystem must do their part to build and maintain cyber resilience.
Bad actors have been increasingly sophisticated in their efforts to breach sensitive patient data and interrupt health care operations, making cyberattacks one of the top national security issues our country faces. HHS has responded to these challenges with concrete steps that help to ensure patient safety and ongoing functioning of our health care system. We have put in place the foundation for an ongoing effort to strengthen cybersecurity that HHS will be able to use for years to come.
Andrea Palm is deputy secretary of the Department of Health and Human Services. In her role at HHS, she is the chief operating officer and responsible for overseeing the day-to-day operations of the department.
