The HHS went on to release voluntary cybersecurity objectives for healthcare and public health organizations on January 24, as the sector goes on to grapple with growing large data breaches along with ransomware attacks.
The performance objectives, broken down into essential as well as enhanced safeguards, aim to enable the organizations to safeguard themselves against cyberattacks, enhance their response if an incident takes place, and also lessen the remaining risk after the security measures are applied.
The resources come after the HHS went on to release a concept paper in December 2023 that detailed plans to develop hospital cybersecurity needs by way of Medicare and Medicaid and eventually update the HIPAA rule.
Healthcare data breaches, especially those that come from hacking, have grown over the past decade, thereby exposing hundreds of millions of patients’ personal data that’s sensitive or protected health information.
It is well to be noted that breaches can be costly for healthcare organizations to take care of, but cyberattacks that go on to interrupt hospital functioning are also a risk when it comes to patient safety.
Interestingly, ransomware, wherein the criminals demand payment in exchange for restored sensitive information and critical system access, can disrupt normal care for weeks to come.
Notably, Ardent Health Services, which happens to run facilities in many states, was hit by a ransomware attack on the day of Thanksgiving, thereby pushing the hospital operator to take its network offline and also divert ambulances that were incoming. Ardent went on to restore access to its electronic health record in early December last year and completely recover its patient portal this month.
The novel cybersecurity objectives from the HHS look forward to helping healthcare organizations build layered safeguarding against cyberattacks, so if one defense fails, the other can serve as a backup, which the agency said happens to hold the key to creating resilience and also safeguarding patients.
Andrea Palm, the Deputy Secretary of HHS, said that they have a responsibility to help their health care system thwart cyber threats, embrace the evolving threat spectrum, and also build a more resilient vertical. Apparently, the release of these cybersecurity performance objectives happens to be a step forward for the industry as they look forward to proposing fresh cybersecurity standards that are unseen throughout the HHS policies and programs that happen to be informed by these CPGs.
The necessary objectives, which go on to include safeguards such as email security, multifactor authentication, as well as basic cybersecurity training for employees, go on to develop a base so as to help organizations manage vulnerabilities that are common.
The elevated protections, such as establishing processes so as to explore as well as address threats at vendors, demarketing critical assets into discrete network segments, along with cybersecurity testing, look forward to helping health systems go ahead and mature their defenses.
It is worth noting that hospitals cheered the voluntary goals, with Rick Pollack, the American Hospital Association president and CEO, recommending in an email statement that all elements of the healthcare sector execute these practices, such as third-party technology providers as well as business associates.
However, the trade and lobbying group has argued in the past that mandated cybersecurity benchmarks tied to funding that media reports suggest might as well be coming down the pike soon and could eliminate hospital resources that could be made use of to shore up their cyber defenses.