HHS, NIST conference: Collaboration is key in healthcare cyber

Officials from HHS, the National Institute of Standards and Technology and other agencies stressed the role of collaboration in improving healthcare cybersecurity throughout the first day of the Safeguarding Health Information: Building Assurance through HIPAA Security 2024 conference, hosted by the HHS Office for Civil Rights and the NIST Information Technology Laboratory in Washington.

During a keynote presentation on Oct. 23, 2024, Andrea Palm, deputy secretary of HHS, reflected on the longstanding partnership between OCR and NIST, both of which play important roles in improving healthcare cybersecurity.

"For years, we have worked together to develop new tools, guidance and resources to help organizations build their cyber defenses, comply with the HIPAA Security Rule, and improve their resilience," Palm said.

"This partnership is more important than ever and a key part of how the entire healthcare ecosystem will mature in its cyber capabilities to keep patients safe and their personal data secure."

Palm noted that there has been a 264% increase in data breaches involving ransomware from 2018 to 2022. But troubling data breach and ransomware figures alone are not the only thing driving increased collaboration between government agencies like HHS and NIST.

"We've seen extended care disruptions, patient diversions, and delayed medical procedures, all of which put patient safety at risk, which is the core of how we come to the table on this issue," Palm stated.

"And so, if we fail to meet this challenge, we really are not only risking personally identifiable health information, but the safety of the patients that we all serve."

Palm identified three principles that continue to guide HHS' strategy for healthcare cybersecurity moving forward: strengthening accountability, supporting the sector financially and improving coordination.

Palm highlighted the struggles of rural healthcare facilities and critical access hospitals, which often do not have the finances available to make necessary investments in cybersecurity.

"There are simply too many doors when engaging the federal government on cybersecurity, and this is, again, particularly apparent and felt in our under-resourced parts of the healthcare sector," Palm said regarding improving coordination across government agencies.

Palm emphasized actions that HHS has taken in the past year to bolster healthcare cybersecurity across the sector, such as the December 2023 release of a concept paper that outlined the department's healthcare cybersecurity strategy.

Additionally, HHS issued its cybersecurity performance goals (CPGs) in January 2024 to help healthcare organizations prioritize the implementation of key cybersecurity practices.

"As we pursue new regulatory efforts for cybersecurity, we are committed to leveraging these CPGs to inform the creation of clear and actionable cybersecurity standards for all healthcare organizations to follow," Palm noted.

Palm highlighted several financial resources that have become available or are on the horizon, such as $240 million in funding awarded by the Administration for Strategic Preparedness and Response through the Hospital Preparedness Program, which for the first time highlighted cybersecurity as a potential use of those funds.

What's more, in March, President Biden submitted his fiscal year 2025 budget request, which proposed $1.3 million in financial incentives to help hospitals defend against cyberattacks.

Palm closed out the keynote session by highlighting HHS' department-wide strategy to increase accountability in the sector, and its efforts to update the HIPAA Security Rule to include new cybersecurity requirements. Additionally, Palm emphasized the department's efforts to build a one-stop shop for healthcare cybersecurity practices and ongoing efforts to further expand the department's partnerships with industry and government.

"We know that it's only a matter of time before another cyber incident happens, so we all must do our part. We're here today to continue working together to identify new ways to help all organizations protect their systems and secure our data," Palm said.

"I hope we can use this conference and the partnership between OCR and NIST to enhance our work with industry and improve cyber resilience in data protection across the country. I hope all of you know how urgent an issue this is for HHS and the patients that we all serve. I look forward to our partnership and the work ahead."

Jill McKeon has covered healthcare cybersecurity and privacy news since 2021.