HIPAA Security Overhaul and Incentives for Cyber Performance Goals? The HHS Introductory Strategy for Healthcare Sector Cybersecurity is a Game Changer
Published On December 14, 2023
The healthcare industry is currently facing unprecedented challenges in the form of cyber threats and attacks. As the digital revolution continues in healthcare, it has become crucial for healthcare organizations to have strong cybersecurity measures. Yet cyber incidents that disrupt patient care services have steadily increased yearly since 2018. In an effort to stem the tide, and at the behest of the Biden administration's National Cybersecurity Strategy released in March 2023, the Department of Health and Human Services (HHS) has released its introductory strategy for Healthcare Sector Cybersecurity. In this blog post, we will explore the importance of this announcement and why Covered Entities and Business Associates need to begin planning the work to meet these guidelines.
The HHS introductory strategy outlines four key steps to advance cyber resiliency in the healthcare sector.
- Establish voluntary cybersecurity performance goals for the healthcare sector
- Provide resources to incentivize and implement these cybersecurity practices
- Implement an HHS-wide strategy to support greater enforcement and accountability
- Expand and mature the one-stop shop within HHS for healthcare sector cybersecurity
We’ve been reading the tea leaves at CORL for all of 2023, and we thought there might be some kind of Meaningful-use carrots-and-sticks program applied to cybersecurity with all the different HHS and CISA activities around healthcare and critical infrastructure. This HHS announcement looks like that’s exactly what’s coming. Here are the three biggest takeaways from this strategy document and our analysis of what to expect.
Takeaway 1) With input from the industry, HHS will establish and publish Healthcare & Public Health Sector-specific Cyber Performance Goals (HPH CPGs)
Just like the reasoning behind the CISA Cross-Sector CPGs, this effort aims to help the healthcare sector prioritize implementing the most critical cybersecurity practices. The number and size of relevant frameworks that apply to healthcare cybersecurity make it difficult for cyber risk professionals to prioritize where to start and what to cover, especially in smaller organizations. It’s not clear yet how much these HPG CPGs will differ from the CISA CPGs or the Health Industry Cybersecurity Practices (HICP). We assume that they will very closely mirror the cross-sector CPGs but cover some of the most critical areas from HICP that are not included in the CISA CPGs while also focusing the Operational Technology (OT) content even more narrowly down to the medical devices, IoT and IoMT that are more frequently found in the healthcare industry.
Takeaway 2) HHS will work with Congress to obtain funding to provide upfront investments to help “high-need” HDOs cover the cost of implementing the “essential” HPH CPGs and performance incentives for implementing the “enhanced” CPGs
This is exactly the Meaningful Use (MU) approach that has been discussed for a few years, but many were skeptical that it could come to pass. It’s a welcome announcement. It is no secret that cash-strapped health systems have difficulty prioritizing cybersecurity spending against patient care spending and critical operations spending. This approach will help them overcome that. And all systems will chase incentive dollars, just like they did with MU. It's a win/win and one of the most powerful ways the federal government can support healthcare, raising its security game.
Takeaway 3) HHS will increase its enforcement for not meeting the CPGs through CMS and an update to the HIPAA Security Rule
Unfortunately, we can’t have our cake and eat it too. With increased incentives also comes increased enforcement, which is a good thing in the long run. That enforcement pressure reorients healthcare C-suites and boards towards prioritizing cybersecurity, which is still needed in many cases in our industry. The tenor of this announcement makes us think there could be some tie-in to meeting certain HPH CPGs as a condition of participating in Medicare and Medicaid, which will undoubtedly gain the attention of budget owners and business/clinical decision-makers. Additionally, the HIPAA Security Rule has been long overdue for an update. If the updates stay in sync with the HPH CPGs and the process flows from incentives first to enforcement second, this can potentially be a major win for all parties.
What should healthcare organizations do right now in reaction to this announcement?
While the announcement does not reveal much regarding the timeline (the only date mentioned is that the work to begin updating the HIPAA Security Rule will begin in the spring of 2024), it’s safe to say that healthcare organizations need to start planning how to react to this right now. Here are some steps we recommend:
- Read the currently published CISA Cross-Sector Cyber Performance Goals and the Health Industry Cybersecurity Practices. The HPH CPGs will consist of some combination of these two publications, so you can get ahead of the game by understanding how they frame the practices and how to assess them.
- Do an informal thought-exercise assessment of your organization’s capability to meet what you read in the CPGs and HICP. With 2 hours of reading and thinking, you’ll have a decent handle on how much effort you’d have to take on to meet them all. The good news is that the CISA CPGs were intentionally designed to align with the NIST Cybersecurity Framework. This means healthcare organizations already using the NIST CSF to manage their security program will not need to disrupt their strategic plan to work on these CPGs. Your focus may shift to certain subsets of the CSF, but it won’t require a complete pivot away from what you’ve probably been working on for years.
- Identify third-party partners who can help you formally assess against these requirements. Whenever the final version is published, it’s a safe bet that the first step will be to formally assess your posture against the requirements. Using an independent group to do the assessment and gather evidence of your controls will go a long way toward credibility with HHS, OCR, and CMS. Groups like that can also help you implement many controls you may be missing.
- Based on your informal review of HICP and CISA CPGs, start thinking about how you’ll handle some of the more difficult practices to implement. A great example here is the Vendor/Supplier Cybersecurity Requirements (from CISA CPGs, 1.I). It is a non-trivial thing to implement if you are not running a Third-Party Risk Management (TPRM) program or doing ad-hoc. The volume of third parties you rely on and the amount of data sprawl you’re practicing on a regular basis make it a daunting task to assess and remediate risk appropriately. CORL has over a decade of experience managing this specifically for the healthcare industry and brings a combination of technology and managed services that turn this from a problem into a strength almost instantly.
- Keep an eye on new announcements from HHS and OCR. It’s safe to say much more will come of this in 2024, and we all need to be on top of it.
Where do vendors in the healthcare space fit into this equation?
It’s safe to say that any organization classified as a Business Associate should expect to be obligated to meet these requirements. The final version of this plan will most likely continue the years-long trend of forcing Business Associates to comply with HIPAA in their own right so that Covered Entities aren’t left holding the bag for BAs not taking security seriously.
But even if you’re not classified as a BA, it’s hard to imagine you being able to find interested suitors for your products and services if you’re not meeting these CPGs. Healthcare entities will be judged on their ability to meet the CPGs, and one of these requirements includes verbiage stating that they must vet their vendors’ security posture to “evaluate in vendor selection if, given two offerings of roughly similar cost and function, the more secure offering and/or supplier is preferred.”
If you’re a vendor unsure how to meet an appropriate security bar for your buyers, let CORL help. Our CORL Cleared program serves as the TSA PreCheck of the healthcare TPRM industry. It offers the methodology and technology that can make it possible for you to never answer a security questionnaire again.
Overall, the importance of this announcement cannot be overstated. When we start talking about overhauling HIPAA, promising incentive payments, and hinting at placing cybersecurity conditions on Medicare and Medicaid participation, we are talking about industry-changing topics. This announcement is yet another sign that cybersecurity is a critical component of healthcare, and organizations must take it seriously or risk damaging their business and reputation.
BRITTON BURTON | SENIOR DIRECTOR OF TPRM STRATEGY
Britton is a cybersecurity and risk management expert with over a decade of dedicated experience in designing and leading security programs and teams in the healthcare domain. He has held multiple senior leadership roles in cybersecurity at a Fortune100 healthcare corporation with lines of business touching nearly every aspect of the modern healthcare ecosystem. Britton's multifaceted roles have encompassed critical areas such as risk management, executive communication and relationship building, governance, GRC, third-party risk management, incident response, disaster recovery planning, and policy and procedure management. Throughout his various roles, the central focus of his career has consistently been on developing and implementing practical risk management frameworks to help his stakeholders and customers make sense of the day-to-day chaos that is cybersecurity. Now, Britton applies this passion for practical solutions at CORL Technologies where he is the Senior Director of Product Strategy responsible for a methodology that is revolutionizing TPRM from a contract roadblock to a contract enabler.