The United States Department of Health and Human Services said it is planning to take a range of actions in an effort to better address cyberattacks on hospitals, which have caused dozens of outages across the country in recent months.
First reported by Politico, HHS published a planning document on Wednesday that outlines several voluntary and potentially mandatory actions hospitals will need to take.
HHS said it is seeking comment on proposals that would see new cybersecurity requirements for hospitals pushed through Medicare and Medicaid programs, ostensibly tying federal payments to baseline standards.
A similar concept has been floated by HHS Deputy Secretary Andrea Palm and Sen. Mark Warner, according to Politico.
In addition to adding cybersecurity requirements to Medicare and Medicaid, HHS floated potential updates to the Health Insurance Portability and Accountability Act Security Rule in the spring of 2024 that would also include new cybersecurity requirements.
HHS said it is planning to work with Congress on increasing civil monetary penalties for HIPAA violations and expanding their resources so they can investigate more potential HIPAA violations, conduct audits and provide more technical assistance.
The plan comes as hospitals continue to face near-relentless attacks from ransomware gangs that have caused weeks-long outages and have forced ambulances to be diverted and appointments to be canceled.
A study from University of Minnesota researchers released in October found that ransomware incidents increased the in-hospital mortality for patients admitted to attacked hospitals.
The researchers estimate that from 2016 to 2021, between 42 and 67 Medicare patients died as a result of the outages caused by ransomware attacks.
In addition to the immediate effects of ransomware attacks, the information stolen by hackers during incidents has long-term effects on victims.
Through the Office for Civil Rights, HHS tracks large data breaches and has found a 93% increase in large breaches reported from 2018 to 2022, with a 278% increase in large breaches reported to OCR involving ransomware from 2018 to 2022.
Just this week, a ransomware gang took credit for an attack on Tri-City Medical Center - which forced the San Diego hospital on November 9 to take its systems offline, halt elective procedures and take other actions in light of the damaging attack.
The hospital was only able to return to full functionality on December 2.
Ransomware attacks on Capital Health, Ardent Health Services and Prospect Medical Holdings this year left dozens of hospitals scrambling to provide patient care amid near-catastrophic technology outages.
Recorded Future - the parent company of The Record - reported at least 19 ransomware attacks on healthcare facilities last month and steep increases in incidents throughout 2023.
The most recent efforts and plans are being built off of the 2023 Hospital Cyber Resiliency Landscape Analysis conducted in the wake of the release of the National Cybersecurity Strategy - which ordered sector management agencies like HHS to use every tool available to increase cybersecurity protections.
HHS plans to now establish voluntary cybersecurity performance goals for the healthcare sector, incentivise better cybersecurity practices and implement an HHS-wide strategy to support greater enforcement and accountability.
HHS also wants to further expand and mature its own cybersecurity resources.
Before moving back to New York City, he worked for news outlets in South Africa, Jordan and Cambodia.
He previously covered cybersecurity at ZDNet and TechRepublic.
This Cyber News was published on therecord.media. Publication date: Thu, 07 Dec 2023 21:30:09 +0000