By Jesse M. Coleman, Owen R. Wolfe, and Sarah Fedner

Seyfarth Synopsis: The health care sector faces escalating cybersecurity risks given its size, technological dependence and the sensitive nature of data used therein. According to the U.S. Department of Health and Human Service’s Office for Civil Rights, there has been an alarming increase in cybersecurity incidents since 2018, including a 93% increase in large data breaches reported from 2018 to 2022, with a notable surge in breaches involving ransomware (278% increase). Cyber-attacks in the health care industry pose significant business and legal risks for healthcare providers.

In response to these rising cyber incidents, and as part of President Biden’s larger National Cybersecurity Strategy released in March 2023, HHS issued its strategy paper entitled “Healthcare Sector Cybersecurity” on December 6, 2023. In the strategy paper, HHS proposed a framework to enhance cybersecurity in the health care industry. The strategy paper outlined a four-step approach:

  1. Establish Voluntary Cybersecurity Goals: HHS will work with the health care industry to create voluntary cybersecurity performance goals, distinguishing between “essential goals” intended “to outline minimum foundational practices for cybersecurity performance” and “enhanced goals” intended “to encourage adoption of more advanced practices.”
  2. Provide Resources: HHS will work with Congress to obtain new funding to support health care providers in implementing cybersecurity practices, including to provide upfront investments for low resourced health care providers and to establish an incentives program to encourage hospitals to adopt advanced cybersecurity measures.
  3. Implement Rules and Regulations: Beyond funding and voluntary goals, HHS proposes the incorporation of cybersecurity goals into regulations, including new requirements for hospitals through Medicare and Medicaid, as well as new cybersecurity requirements through HIPAA. HHS asserts that these new regulations will lead to greater enforcement and accountability.
  4. Expand the “One-Stop Shop” through the Administration of Strategic Preparedness and Response: HHS intends to enhance its “one-stop shop” for healthcare cybersecurity within the Administration of Strategic Preparedness and Response to facilitate industry access to government support and services.

The legal landscape for cybersecurity continues to rapidly evolve, including in the health care sector. HHS’s new strategy paper makes clear that cybersecurity will continue to be a focus for federal agencies, and that the health care industry needs to be prepared to adapt to meet the goals set out by HHS.  

HHS has yet to implement any rules or regulations as contemplated in its December 6, 2023 paper, but it could update HIPAA regulations to address cybersecurity concerns as early as Spring 2024. 

We will provide further updates once HHS takes action.  In the meantime, Seyfarth’s 50-state health law privacy survey and data privacy website provide critical information about the latest regulations and updates regarding healthcare privacy laws.