How HHS Plans to Prioritize Healthcare Cybersecurity

ASPR Seeks to Expand Cyber Capabilities

As the healthcare sector’s designated Sector Risk Management Agency (SRMA), ASPR leads HHS’ efforts to identify sector priorities, mitigate risk, and coordinate between public and private sector partners.

Thomas Christl, branch chief of the Infrastructure Analysis and Partnerships Branch at HHS ASPR, highlighted ASPR’s upcoming investments and actions, on the heels of the White House’s commitment to creating updated healthcare cybersecurity standards.

“We're actually in the process of building out an SRMA cyber division,” Christl told the audience. “We currently have a single senior cybersecurity advisor who's handling a lot, and although we have great partners, it is just not enough. We are taking some resources and building out that structure so that we can partner better, and we can do more to help ourselves and help you.”

In October 2022, ASPR announced version 2.0 of its Risk Identification and Site Criticality (RISC) Toolkit. Version 1.0 was released in the Fall of 2018 to provide healthcare organizations with tools to enhance emergency preparedness planning, resource investments, and risk management activities.

RISC 2.0 will contain more advanced tools on a web-based platform and will be more dynamic and customizable rather than utilizing static surveys.

Additionally, Christl said that ASPR plans to build out technology to help it better track, analyze, and report cyber incidents. Investments from HHS leadership and additional resources dedicated to ASPR will ideally help the office improve cyber incident tracking and streamline processes.

“Investment from our senior leadership will translate in some instances to people, others just capacity, and allowing us to do more at all levels – more strategy, policy, and partnerships.

OCR Tackles Increased Complaint Volume

OCR is responsible for enforcing federal civil rights laws, as well as the HIPAA Privacy, Security, and Breach Notification Rules. The office frequently releases guidance for HIPAA-covered entities, helping them navigate compliance complexities.

In addition, OCR investigates potential HIPAA violations in response to complaints and breach reports. This year, OCR has fielded thousands of complaints.

“We receive a lot of complaints. We're on track for well over 30,000 complaints that people have submitted to us regarding potential violations of their privacy or security of health information,” said Nicholas Heesters, senior advisor for cybersecurity at OCR.

“We received over 700 breach notifications affecting over 500 individuals for 2022. We're on track for similar numbers for 2023.”

As such, a major focus for OCR will be managing its complaint volume and following through with investigations. HHS took a step forward in this area in February 2023, when it announced new restructuring efforts for OCR, including the formation of three new divisions to help manage its increased volume of HIPAA and HITECH complaints and compliance reviews.

Heesters said that OCR would continue to provide resources to help covered entities understand HIPAA rules, as well as invest additional resources into responding to complaints and working alongside entities to resolve potential violations.

405(d) Drives Progress With New Publications

The HHS 405(d) Program, a collaborative effort between the Health Sector Coordinating Council (HSCC) and the federal government, began as a congressional mandate under the Cybersecurity Act of 2015, Section 405(d).

The 405(d) Task Group has evolved from its initial objective of providing a best practices document for mitigating cyber risk to publishing several key resources and tools to help health organizations tackle cyber threats and educate workforce members.

Nick Rodriguez, HHS 405(d) Program manager, spoke about the program’s ongoing efforts to raise awareness of its publications and align messaging between CISA and HHS at the senior and staff levels.

“At 405(d), we're really building up the support to better help industry and come together in a joint effort to produce more documents, more trainings, and more cyber education, whether that's infographics or campaigns and things that really support broader cyber hygiene,” said Rodriguez.

“There's a lot more direct outreach that we are looking to really do over the next 12 to 18 months.”

In April, the program released the 2023 edition of the Health Industry Cybersecurity Practices (HICP), a foundational publication that aims to raise awareness of healthcare cybersecurity risks. Originally published in 2018, the HICP is a multi-volume publication that contains a set of voluntary, consensus-based cybersecurity guidelines. HICP 2023 includes input from more than 150 industry experts and places emphasis on providing cost-effective ways to mitigate cyber threats.

Rodriguez also highlighted new developments in Knowledge on Demand, a recently released online educational platform that offers free cybersecurity trainings to healthcare organizations, as well as the “Hospital Cyber Resiliency Landscape Analysis,” a report that measured hundreds of hospitals against HICP guidelines to provide benchmarking data for the industry.

Two new joint efforts are on the horizon at 405(d), Rodriguez said, including a cyber enterprise risk management (ERM) publication and a re-release of its operational checklist.

“We are really leaning into those new products and continuously updating Knowledge on Demand and of course our general outreach efforts,” Rodriguez continued.

The HHS leaders provided a glimpse into what’s to come for the sector, which has been hit hard by data breaches in recent years. A combination of federal efforts and industry collaboration will hopefully help the sector expand its capabilities and reduce risk.