The HHS outlines vital new pillars of action for cybersecurity in healthcare

In early December 2023, the U.S. Department of Health and Human Services published a concept paper outlining imperative new guidelines for healthcare organizations tackling cybersecurity. The publication comes on the tailwind of the Biden-Harris administration’s National Cybersecurity Strategy, building off of that momentum with a renewed focus on one of the nation’s most high-risk sectors. 

“Since entering office, the Biden-Harris Administration has worked to strengthen the nation’s defenses against cyberattacks,” HHS Secretary Xavier Becerra said in a press release. “The healthcare sector is particularly vulnerable, and the stakes are especially high. Our commitment to this work reflects that urgency and importance.” 

Why is cybersecurity important in healthcare as we move into the new year? Sensitive data exposure from health records can lead to identity theft and more serious attacks, painting a glaring target on the entire industry. Information collected from the HHS and its Office for Civil Rights (OCR) shows an astounding 278% increase in large breaches involving ransomware from 2018 to 2022 and a 93% increase in large breaches reported overall. 

Preventing these precisely targeted and unrelenting attacks requires more than just a few security scans a month; organizations in the health sector need a consistent and holistic approach to securing the many web applications they use to share and receive sensitive information every day.   

Critical actions from the HHS aim to bolster cybersecurity in healthcare

As the healthcare sector moves to adopt more strategically impactful cybersecurity policies, the concept paper outlines four key actions that should happen concurrently to reduce the number of cyber incidents and data breaches impacting healthcare:

• Establish voluntary cybersecurity performance goals for the healthcare sector. Healthcare and Public Health Sector-specific Cybersecurity Performance Goals (HPH CPGs) provide a way to help healthcare organizations prioritize their security practices so they can implement the most high-impact tactics first. The HPH CPGs proposed by HHS will set a clear direction for the entire industry and inform future regulatory needs. 
• Drive cybersecurity best practice adoption in healthcare through incentives and upfront investments. The HHS is dedicated to working with Congress on sourcing funding and authority to administer financial assistance for domestic hospitals investing in cybersecurity. The HHS hopes to establish two new programs for this effort: one with upfront investments to help high-need organizations (for example, hospitals with low resources) and the other with incentives to encourage all hospitals in the United States to invest in cybersecurity practices and utilize HPH CPGs. 
• Implement an HHS-wide strategy to support greater enforcement and accountability. The HHS understands that mere voluntary goals will not result in adequate change in the healthcare sector and proposes that HPH GPGs be incorporated into existing regulations and programs to establish new cybersecurity standards that are more enforceable. Implementation should incorporate increased civil monetary penalties for HIPAA violations, proactive audits, and increased assistance for low-resourced entities. 
• Expand and mature the HHS as a one-stop shop for healthcare sector cybersecurity. One of the ultimate goals is for the HHS to mature to a “one-stop shop” for cybersecurity support in the healthcare sector within the Administration of Strategic Preparedness Response (ASPR). This will enable more effective coordination between HHS and the Federal Government while also improving the incident response capabilities of the HHS and providing critical security resources like vulnerability scanning.  

The concept paper states: “HHS believes these goals, supports, and accountability measures can comprehensively and systematically advance the healthcare sector along the spectrum of cyber resiliency to better meet the growing threat of cyber incidents, especially for high-risk targets like hospitals.” Taking action on these priorities will help the sector move toward better security and enhanced privacy for all seeking safe access to healthcare technology. 

In addition to these new guidelines and supporting initiatives, the HHS OCR plans to update the Health Insurance Portability and Accountability Act (HIPAA) Security Rule in 2024 to include new vital cybersecurity requirements. As they also intend to implement additional Medicare and Medicaid security requirements, organizations in healthcare need to keep an eye on these changes in order to implement the right processes and tools to help them succeed. 

Selecting effective healthcare cybersecurity solutions 

Basic web application attacks were one of the top three patterns resulting in breaches for healthcare in 2022, according to Verizon’s 2023 Data Breach Investigations Report. There were 525 incidents in all, of which 436 were confirmed to involve data disclosure—with 67% of the compromised data containing personal information and 54% containing medical information. 

As healthcare organizations move to keep sensitive information secure and comply with these new HHS directives, there is ample opportunity for streamlining web app security without disrupting development or user experience. Mature scanning tools are available that offer flexible deployment options and come equipped with built-in checks for HIPAA compliance so that organizations can hit their reporting goals with ease. 

When time is of the essence (which it always is in software development), modern scanning tools like Invicti’s solutions keep healthcare organizations on schedule by eliminating hours of manual work and reducing tedious false positives. Seamless workflows take center stage: integrations and a full-featured REST API make automating security tasks a reality so that teams save time—and sanity—as they build innovative solutions for hospitals, patients, and their communities.

When reviewing solutions that get the job done, organizations in the healthcare sector should look for security tools that can:

• Scan every corner of each app for maximum coverage and more visibility into lost, forgotten, or hidden assets. 
• Scan web apps, web services, and web APIs regardless of framework, technology, or language. 
• Combine dynamic application security testing (DAST) with the capabilities of interactive application security testing (IAST) for an inside-out and outside-in look. 
• Provide evidence-based verification to save time on manual security checks and present developers with detailed documentation of vulnerabilities for faster remediation. 
• Integrate into the software development lifecycle (SDLC) to minimize costly post-release security hurdles and eliminate bottlenecks in DevSecOps. 

At Invicti, we do all of that and then some. Looking ahead to future guidelines and regulations from the government, see how Invicti can help your hospital or healthcare organization stay secure 24/7, protect sensitive patient information, and maintain compliance.