Upcoming HHS Strategy Enhancements to Bolster Healthcare Cybersecurity

In March 2023, the US Administration released the National Cybersecurity Strategy. Set forth by the U.S. government, this strategy reimagines a comprehensive approach to a safe and secure digital ecosystem for all by shifting the responsibility to organizations best equipped to handle risks, strategically aligning incentives to protect against urgent threats, and aligning to the long-term vision for the future. 

Among industries most impacted by cybersecurity threats, healthcare remains increasingly targeted. According to HIPAA Journal, 328 healthcare providers have suffered a data breach this year. Similarly, according to Claroty’s 2023 Global Healthcare Survey report, 78% of respondents experienced at least one cybersecurity incident over the last year and 60% of organizations impacted by incidents reported a moderate to substantial impact on patient care delivery. As a result, the healthcare industry has urged - and in some cases required - tighter regulations and industry guidance around cybersecurity best practices due to the variety and impact of cyber incidents. In the Spring of 2023, Section 405(d): Aligning Health Care Industry Security Approaches was updated to include a deeper set of considerations. Specifically, Cybersecurity Practice #9: Network Connected Medical Devices suggests guidance around fundamental security best practices such as asset management, endpoint protection, identity and access management, network management, vulnerability management, and more.

The latest concept released by the HHS, continues momentum from the 405(d) updates while leveling up healthcare cybersecurity industry standards and opportunities to further align with the National Cybersecurity Strategy. The concept paper, titled  “Healthcare Sector Cybersecurity, Introduction to the Strategy of the U.S. Department of Health and Human Services” details four pillars for healthcare organizations to take action on, including publishing new voluntary healthcare-specific cybersecurity performance goals, new support, and incentives to improve hospitals, a greater focus on enforcement & accountability, and maturation into a one-stop shop for healthcare cybersecurity. 

Due to the conceptual nature of this release, there will be more details to follow in the coming months. Key highlights to look out for from HHS include:

1. New Goals Set for the Healthcare Cybersecurity Sector: The HHS will establish and publish new, voluntary goals for the industry. These healthcare and public health sector-specific cybersecurity performance goals (HPH CPGs) will outline minimum essential goals required for foundational cybersecurity activities while encouraging stretch goals to encourage greater sophistication of advanced cybersecurity performance.

2. New Support and Incentives: The HHS will work with Congress to administer financial support to scale cybersecurity best practices. This will include an investment program to support high-need, low-resourced providers to implement essential CPGs and an incentives program for hospitals to drive the implementation of enhanced CPGs across health systems. 

3. Greater Enforcement & Accountability: The rollout of new CPGs will inform the creation of new, enforceable cybersecurity standards. In spring 2024, the HIPAA Security rule will require new cybersecurity requirements and new cybersecurity requirements will be proposed through Medicare and Medicaid. These are two near-term actions where the newly defined CPGs may directly come into play.

4. Expansion of HHS for Program Maturity: The HHS will continue to strive to be a go-to resource for cybersecurity maturity and support through new approaches such as stronger partnerships with the government, additional resources, technical assistance, and more. 

How is Claroty Prepared to Help?

As these new goals, support, and accountability standards in healthcare cybersecurity come together from the HHS, Claroty is prepared to support. Our purpose-built healthcare solution, The Medigate Platform offers a highly flexible & customizable solution to accommodate a wide array of security best practices to support all levels of cybersecurity program maturity. Whether that be implementing initial device visibility and risk management, to more sophisticated approaches such as network segmentation and threat detection across all cyber-physcial systems such as IoT, IoMT, and BMS. Our modular platform enables organizations to implement processes while setting and tracking goals to meet cybersecurity requirements.

To learn more about how Claroty can support your healthcare security journey, please check out the Medigate Platform Solution Overview or simply request a demo.