Rising Cyberattacks on Hospitals: A Threat to Patient Safety and National Security
Hospitals and health systems across teh United States are grappling with a surge in cyberattacks, leading to extended disruptions, patient diversions, and the cancellation of critical medical appointments and procedures. These incidents not only undermine patient care and safety but also expose vulnerabilities in the health care system, eroding patient trust. As these attacks grow in frequency and duration, they become increasingly risky and costly.
The U.S.Department of health and Human Services (HHS) has been at the forefront of addressing this crisis, working closely with hospitals and health care systems to develop enduring policies that enhance cyber resiliency. Over the past four years, HHS has implemented a comprehensive strategy focused on three key areas: policy and regulation, resources, and sector coordination.
Policy and regulation: Strengthening Cybersecurity Frameworks
Table of Contents
HHS has introduced voluntary cybersecurity performance goals (CPGs) to help health care organizations prioritize high-impact cybersecurity practices. These CPGs aim to better protect the sector from cyberattacks,improve response mechanisms,and minimize risks. Additionally, updates to the HIPAA Security Rule now require all HIPAA-covered entities to adhere to new cybersecurity standards, ensuring the protection of individuals’ protected health information.
The Food and Drug Management (FDA) has also stepped up, implementing pre-market cybersecurity requirements for all new medical devices. Meanwhile, the Centers for Medicare and Medicaid Services (CMS) has taken measures to enhance cybersecurity among payers, clearinghouses, pharmacy switches, and clinical laboratories.
Resources: Funding and Support for Vulnerable Organizations
Recognizing the challenges faced by small and under-resourced organizations, HHS has allocated meaningful funding to bolster cybersecurity preparedness.In 2024, $240 million was announced for hospital preparedness, with a strong emphasis on cybersecurity. ARPA-H is investing over $50 million in new technologies to improve the patching of security vulnerabilities.
To ensure hospitals remain operational during cyber incidents, CMS has established infrastructure for advance payments, safeguarding financial stability when billing services are disrupted. HHS has also proposed a $1.3 billion legislative package to fund Medicare programs, enabling hospitals to upgrade legacy technology, enhance vulnerability management, and mitigate third-party risks.
Sector Coordination: Building Partnerships and Sharing Information
The Administration for Strategic Preparedness and Response (ASPR) is working to improve cybersecurity coordination within HHS and across the federal government. Efforts include deepening partnerships with industry, enhancing information-sharing, and increasing the uptake of government support and services. HHS is also developing a one-stop shop for health care sector cybersecurity, streamlining access to critical resources.
Along with these large-scale initiatives, HHS has provided immediate support, including free cyber awareness training for employees and the first-ever nationwide cybersecurity risk-mapping exercise to identify vulnerabilities across the health care system.
Lessons for the Future
While significant progress has been made, the fight against cyberattacks is far from over.Policymakers and lawmakers must prioritize investments in under-resourced and rural organizations,ensuring they have the tools and funding needed to improve cyber resiliency. The integration of artificial intelligence (AI) into cybersecurity strategies will also play a crucial role in guiding organizations and mitigating risks.
Cyberattacks on health care systems pose a grave threat to patient safety and national security. As the Biden administration’s efforts demonstrate, addressing this issue requires bipartisan collaboration and sustained commitment. The next administration must continue to build on these foundations, ensuring the health care sector remains resilient in the face of evolving cyber threats.
| Key Initiatives | details |
|—————————————–|—————————————————————————–|
| Cybersecurity Performance Goals (CPGs) | Voluntary guidelines to prioritize high-impact cybersecurity practices. |
| HIPAA Security Rule Updates | New requirements for protecting health information. |
| FDA Pre-Market Cybersecurity Standards | Mandatory cybersecurity requirements for new medical devices. |
| $240 Million Hospital Preparedness Fund | Focused on cybersecurity improvements. |
| $1.3 Billion Legislative Proposal | Funding for upgrading technology and mitigating risks. |
| Nationwide Risk-Mapping Exercise | Identifying vulnerabilities across the health care system. |
The battle against cyberattacks in health care is ongoing, but with continued investment, innovation, and collaboration, the sector can build a safer, more secure future for patients and providers alike.
Strengthening Cybersecurity in Health Care: A Sector-Wide Imperative
The health care sector is under siege. Cyberattacks targeting sensitive patient data and critical operations have surged, making cybersecurity a top national security priority. As Andrea Palm, deputy secretary of the Department of health and Human Services (HHS), emphasizes, “Bad actors have been increasingly refined in their efforts to breach sensitive patient data and interrupt health care operations.” This alarming trend underscores the urgent need for a sector-wide approach to cybersecurity, one that safeguards not just hospitals and medical devices but the entire interconnected health care ecosystem.
The Interconnected Nature of Health Care
Health care is unique among critical infrastructure sectors. It relies on thousands of interconnected technologies and organizations to function effectively. From medical clearinghouses and public health departments to e-prescribing software and delivery networks of critical medical supplies, every component plays a vital role. “It is not enough to secure only our hospitals and medical devices,” Palm notes.“Every part of the ecosystem must do their part to build and maintain cyber resilience.”
This interconnectedness creates both opportunities and vulnerabilities. While it enables seamless coordination and innovation, it also exposes the sector to cascading risks. A breach in one area can ripple across the entire system, disrupting patient care and compromising sensitive data.
The Role of HHS in Building Cyber resilience
In response to these challenges, HHS has taken concrete steps to strengthen cybersecurity across the health care sector. The department has laid the foundation for an ongoing effort to mitigate risks and ensure the safety and continuity of health care operations. “We have put in place the foundation for an ongoing effort to strengthen cybersecurity that HHS will be able to use for years to come,” Palm states.
One key focus is the integration of artificial intelligence (AI) tools. While AI offers transformative potential, it also introduces new security challenges. HHS is working to provide resources and guidance to help health care organizations assess the security implications of these emerging technologies.
A Call to Action for the Health Care Ecosystem
The fight against cyber threats requires collective action. Health care organizations, technology providers, and government agencies must collaborate to build a resilient defense. This includes:
- Proactive Risk Assessment: Regularly evaluating vulnerabilities across all interconnected systems.
- Investment in Cybersecurity: Allocating resources to implement robust security measures.
- Education and Training: Equipping staff with the knowledge to identify and respond to threats.
as Palm aptly puts it, “We must maintain a sector-wide approach to cybersecurity.” This means vigilance at every level, from local clinics to national health networks.
Key Takeaways
| Aspect | Details |
|———————————|—————————————————————————–|
| Threat Landscape | Increasingly sophisticated cyberattacks targeting patient data and operations. |
| Sector-wide Approach | Cybersecurity efforts must encompass all interconnected health care systems. |
| HHS initiatives | Foundation laid for ongoing cybersecurity strengthening, including AI guidance. |
| call to Action | collaboration, investment, and education are essential for cyber resilience. |
Conclusion
The stakes are high. Cyberattacks on health care systems not only jeopardize patient safety but also threaten the stability of our national infrastructure.as Andrea palm and HHS led the charge,it is indeed imperative for every stakeholder in the health care ecosystem to step up. By working together, we can build a safer, more resilient future for health care.
What steps is your organization taking to bolster cybersecurity? Share your insights and join the conversation on how we can collectively safeguard our health care systems.
—
Andrea Palm is deputy secretary of the Department of Health and Human Services. In her role at HHS, she oversees the day-to-day operations of the department.
Ngthen cybersecurity across the health care sector.The department’s multifaceted strategy focuses on enhancing policy frameworks, providing critical resources, and fostering sector-wide coordination.
Policy and regulation: Strengthening Cybersecurity Frameworks
HHS has introduced Cybersecurity Performance Goals (CPGs), which serve as voluntary guidelines to help health care organizations prioritize high-impact cybersecurity practices. These CPGs aim to bolster defenses, improve incident response, and minimize risks.Additionally, updates to the HIPAA Security Rule now require all HIPAA-covered entities to adhere to stricter cybersecurity standards, ensuring the protection of sensitive health information.
The Food and drug Governance (FDA) has also implemented pre-market cybersecurity requirements for new medical devices, ensuring that they are designed with security in mind. Meanwhile, the Centers for Medicare and Medicaid Services (CMS) has enhanced cybersecurity measures for payers, clearinghouses, pharmacy switches, and clinical laboratories.
Resources: Funding and Support for Vulnerable Organizations
Recognizing the challenges faced by smaller and under-resourced organizations, HHS has allocated significant funding to bolster cybersecurity preparedness. In 2024, $240 million was announced for hospital preparedness, with a strong focus on cybersecurity. additionally, ARPA-H is investing over $50 million in new technologies to improve the patching of security vulnerabilities.
To ensure hospitals remain operational during cyber incidents, CMS has established advance payment infrastructures, safeguarding financial stability when billing services are disrupted. HHS has also proposed a $1.3 billion legislative package to fund Medicare programs, enabling hospitals to upgrade legacy technology, enhance vulnerability management, and mitigate third-party risks.
Sector Coordination: Building Partnerships and Sharing Information
The Administration for strategic Preparedness and Response (ASPR) is working to improve cybersecurity coordination within HHS and across the federal government. Efforts include deepening partnerships with industry, enhancing information-sharing, and increasing the uptake of government support and services. HHS is also developing a one-stop shop for health care sector cybersecurity, streamlining access to critical resources.
Alongside these large-scale initiatives, HHS has provided immediate support, including free cyber awareness training for employees and the first-ever nationwide cybersecurity risk-mapping exercise to identify vulnerabilities across the health care system.
Lessons for the future
While significant progress has been made, the fight against cyberattacks is far from over. Policymakers and lawmakers must prioritize investments in under-resourced and rural organizations, ensuring they have the tools and funding needed to improve cyber resiliency. The integration of artificial intelligence (AI) into cybersecurity strategies will also play a crucial role in guiding organizations and mitigating risks.
cyberattacks on health care systems pose a grave threat to patient safety and national security. As the Biden administration’s efforts demonstrate, addressing this issue requires bipartisan collaboration and sustained commitment. The next administration must continue to build on these foundations, ensuring the health care sector remains resilient in the face of evolving cyber threats.
Key Initiatives
| Key Initiatives | Details |
|—————————————————-|—————————————————————————–|
| Cybersecurity Performance goals (CPGs) | Voluntary guidelines to prioritize high-impact cybersecurity practices. |
| HIPAA Security Rule Updates | New requirements for protecting health information. |
| FDA Pre-Market Cybersecurity Standards | Mandatory cybersecurity requirements for new medical devices. |
| $240 Million Hospital Preparedness Fund | Focused on cybersecurity improvements. |
| $1.3 Billion Legislative Proposal | Funding for upgrading technology and mitigating risks. |
| Nationwide risk-Mapping Exercise | Identifying vulnerabilities across the health care system. |
Conclusion
The battle against cyberattacks in health care is ongoing, but with continued investment, innovation, and collaboration, the sector can build a safer, more secure future for patients and providers alike. Strengthening cybersecurity is not just a technical challenge but a sector-wide imperative that demands collective action and unwavering commitment.
By addressing vulnerabilities, enhancing coordination, and prioritizing resilience, the health care sector can better protect its critical infrastructure, safeguard patient care, and maintain public trust in the face of evolving cyber threats.
