The American Hospital Association (AHA) has criticized the Department of Health and Human Services’ (HHS) proposed cybersecurity plans for healthcare, proposing that they may actually weaken a hospital’s ability to prevent cyber attacks.
- The HHS proposed cybersecurity plan includes Medicare and Medicaid requirements, potential cyber prevention adherence strategies and potential HIPAA violation penalties.
- The AHA believes that these will hold hospitals accountable for hacking incidents instead of providing them resources to prevent such incidents from happening in the future.
- Under the HHS proposal, additional cybersecurity measures will be levied on hospitals and added to the Health Insurance Portability and Accountability Act (HIPAA) Security Rule in spring 2024.
The HHS cybersecurity measures have been drafted in response to President Joe Biden’s National Cybersecurity Strategy, and it involves a four-step plan designed to fortify cyber resilience across the healthcare industry. While the AHA and the HHS share a common goal – the prevention of cyber attacks – the AHA argues that the HHS requirements may actually debilitate hospitals in their efforts.
A point of contention is the HHS aspiration for all hospitals to meet sector-specific Cybersecurity Performance Goals (CPGs). The AHA president and CEO, Rick Pollack, suggested that these types of measures could hold hospitals accountable for the actions of external hackers and therefore, reduce their defensive capabilities.
The HHS has also proposed the creation of voluntary performance guides for specific healthcare and public health sectors. These would allow for prioritization and provide low-resource hospitals with upfront investment programs. In addition, HHS plans to incentivize hospitals to invest in advanced cybersecurity practices through an incentive program.
Finally, the HHS has proposed the expansion of a “one-stop shop” cyber support feature that intends to improve internal coordination and partnerships with industry. It also aims to increase the HHS’s incident response capabilities.