AHA says that HHS' proposed cybersecurity practices would in some ways be counterproductive for hospitals in their shared goal to prevent cyberattacks.
AHA calls proposed HHS cybersecurity penalties on hospitals "counterproductive" as attack prevention strategy
December 15, 2023
by
John R. Fischer, Senior Reporter
According to the American Hospital Association, Medicare and Medicaid requirements proposed in the Department of Health and Human Services concept paper for addressing cyber threats in healthcare would worsen, not improve, the ability of hospitals to prevent cyberattacks.
Building on President Joe Biden’s National Cybersecurity Strategy released in March 2023, HHS has proposed a four-step plan for building up cyber resiliency in the healthcare sector, including an HHS-wide strategy designed to enforce adherence to cyber prevention practices and hold those in violation accountable.
Under the proposal, new cybersecurity measures would be levied on hospitals through Medicare and Medicaid and added to the Health Insurance Portability and Accountability Act (HIPAA) Security Rule in spring 2024. HHS would work with Congress to increase civil monetary penalties for HIPAA violations and secure more resources to investigate potential HIPAA violations, conduct proactive audits, and scale outreach and technical assistance for low-resourced organizations to improve HIPAA compliance.
“Given the increased risk profile of hospitals, HHS aspires to have all hospitals meeting sector-specific Cybersecurity Performance Goals (CPGs) in the coming years,” said the agency in its proposal.
In a statement, AHA President and CEO Rick Pollack called this “counterproductive,” saying that these proposals would hold hospitals responsible for hackers’ actions and reduce the resources they need to combat their crimes.
“This fight is largely against sophisticated foreign-based hackers who often work at the permission of and in collusion with hostile nation-states. Defeating these hackers requires the combined expertise and authorities of the federal government,” he said.
HHS also said that it would create voluntary healthcare and public health sector-specific (HPH) CPGs for providers to prioritize and an upfront investment program to help low-resource hospitals afford resources that would allow them to adhere to essential HPH CPGs. Additionally, another incentive program would be put in place to encourage all hospitals to invest in advanced cybersecurity practices to implement enhanced HPH CPGs.
To help providers access resources from the federal government for combating attacks, HHS will expand its “one-stop shop” cybersecurity support feature.
“A one-stop shop will enhance coordination within HHS and the federal government, deepen government’s partnership with industry, increase HHS’s incident response capabilities, and promote greater uptake of government services and resources such as technical assistance, vulnerability scanning, and more,” said the agency.