Question 1

What’s special about this cybersecurity plan that’s different than HHS' previous efforts to address healthcare breaches?

Accepted Answer

This plan builds upon HHS' previous efforts, which have included the creation of the wall of shame, as well as other guidelines and trainings. This plan also includes guidance specific to telehealth. The plan, which is part of the Biden administration’s national cybersecurity strategy, is explicit in how it lays out what it expects of healthcare systems via these 20 CPGs — some are essential, some more advanced. Read the plan and become acquainted with this initiative to better understand how seriously HHS is taking this as well as implications for your organization.

Question 2

Why these 20 goals? What’s driving them as the priority?

Accepted Answer

CPGs were created from other industry-leading cyber best practices, including HICP Technical Volumes 1 and 2, the NIST Cybersecurity Framework 2.0 released Feb. 26, 2024, and NIST 800-66 Revision 2: Implementing the HIPAA Security Rule: A Cybersecurity Resource Guide, released Feb. 16, 2024. These are common areas of vulnerability and industry experts agree they’re the first- and second-line priorities healthcare organizations should consider. What’s the difference between essential and enhanced goals? The CPGs are split into two different types of goals: essential and advanced. Essential goals are baseline safeguards intended to protect against attack. Enhanced goals are the next level of defense, intended for more advanced attacks.

Question 3

Are hospitals and health systems going to be incentivized or penalized?

Accepted Answer

As of Spring 2024, these are voluntary and will be tied to incentives that require Congressional involvement and are not yet determined. The plan outlines two types of incentives: Upfront investment support to cover essential CPGs for certain high-need healthcare providers An incentive program to cover enhanced CPGs for all hospitals and health systems The guidance also alludes to financial penalties in the long term as possibilities — implying these voluntary incentive-based steps might become mandatory and subject to noncompliance or fines in the future. Additionally, the plan references: A CMS proposal to require cybersecurity activities, meaning reimbursement could be affected if goals are unmet Future modifications to the HIPAA Security Rule in 2024 to include cybersecurity requirements A proposal to weave the CPGs into existing regulations to make them enforceable For adequate preparation for what’s to come, view these rules as requirements, not just recommendations.

Question 4

What should healthcare executives be asking of their IT teams?

Accepted Answer

Ensure there’s a flow of information coming to you from your IT and information security teams; they should be reporting up their progress, barriers, and current status. High-level questions to consider include: What’s our cybersecurity maturity? Do we have all the essential steps covered? If not, what will it take to get there? How many incidents are reported and mitigated weekly? Is ransomware testing available to understand vulnerabilities and recovery turnaround?

Question 5

When should organizations get started on implementing these CPGs?

Accepted Answer

The best time to implement these CPGs is right now. Many of these steps can take time, and while the timing of any incentives or penalties is uncertain, it’s better to outline a road map to do these things sooner rather than later. These practices are industry-recognized and reflective of recommended cybersecurity stewardship, so don’t delay. The runway to implement these changes can vary by health system and their maturity of IT infrastructure and security controls. For the essential rules, it could take just weeks if they already have most of these areas addressed, for others it could be years if they don’t.

Question 6

Even though the incentives aren’t specified yet, the plan suggests HHS will give upfront investment support for certain hospitals and health systems to address the essential CPGs. Why should these entities put in the effort now if they could wait and be subsidized for those same efforts once incentives are finalized?

Accepted Answer

We don’t know when the incentives will be available, and cyber criminals and attackers aren’t going to wait. They’ll continue to target healthcare systems until they find it’s no longer an easy target. As seen from recent cyberattacks, and especially from the Change Healthcare ransomware attack, a successful attack can take systems down for weeks or even months, costing the hospital and health system millions of dollars to respond and recover, so it makes financial sense to start building a strong cybersecurity posture as soon as possible.

Question 7

Which CPGs should health systems prioritize?

Accepted Answer

Prioritize the essential goals first, then look to the enhanced. Most health systems will already have most of the essential steps addressed in some way, meaning they likely shouldn’t need a start-from-scratch approach. Beyond that, take a risk-based approach: Know your individual risk and prioritize your known unique vulnerabilities.

Question 8

How much time do hospitals and health systems have to meet these goals?

Accepted Answer

Timing hasn’t been specified, only that HHS intends to have all hospitals and health system meeting sector-specific CPGs in the future.

Question 9

What else do we need to know about this?

Accepted Answer

Cybersecurity is complex and changing. As technology becomes more sophisticated, so do strategies used by bad actors to exploit vulnerabilities. This plan isn’t mandatory now, but it could be someday. Regardless, cyberthreats jeopardize patient safety and privacy as well as site resources, revenues, and reputation, so promoting cyber resiliency should be a top priority for hospitals and health systems.

Q&A: Are you checking all the boxes of the HHS newest cybersecurity plan?

Troy Hawes

Brian Conner

Related sections