Amid the response to the Change Healthcare ransomware attack, the Department of Health and Human Services (HHS) is reorganizing its healthcare cybersecurity efforts. It aims to create a centralized hub for cybersecurity resources and programs within the Administration for Strategic Preparedness and Response (ASPR).
Brian Mazanec of ASPR highlighted ASPR's role in coordinating cybersecurity information sharing across HHS and with industry partners. However, other HHS organizations, such as the Health Sector Cybersecurity Coordination Center (HC3), Food and Drug Administration, Centers for Medicare and Medicaid Services (CMS), and Office of Civil Rights, also help in managing healthcare cybersecurity risks.
Meanwhile, Senate Homeland Security Committee Chairman Gary Peters has requested information on HHS's efforts to prevent similar incidents and urged a campaign to educate healthcare entities about cybersecurity. The Biden administration has stressed regulating healthcare cybersecurity given the sector's vulnerability to ransomware attacks.
HHS will also continue to carry out a new cybersecurity strategy for the health sector, detailed by ASPR in a December white paper.
According to Federal News Network, Brian Mazanec, the deputy director for ASPR’s Office of Preparedness told attendees of a webinar that "we're really establishing ASPR as that one-stop shop to manage this information sharing across the department, with our partners in industry, and with the interagency." This comes after Mazanec noted that ASPR leads HHS’ work as the “sector risk management agency” for the healthcare and public health sectors.
“There’s too many doors into cybersecurity when engaging with the federal government generally, let alone HHS,” Mazanec said. “Within HHS, there are a lot of different players. So we’re in the process now of really establishing this front door through ASPR to all of those resources.”
While lawmakers are asking questions about the federal response to the Change Healthcare incident, Gary Peters (D-Mich.), the Chairman of the Senate Homeland Security and Governmental Affairs Committee, released a letter on March 25 inquiring about HHS's efforts to prevent similar incidents from happening again. Additionally, he requested that both HHS and the Cybersecurity and Infrastructure Security Agency (CISA) initiate a campaign aimed at "educating healthcare entities and ordinary people regarding cybersecurity useful practices as well as resources they have access to."
See also: HIPAA Compliant Email: The Definitive Guide
The establishment of a one-stop shop within the Department of Health and Human Services (HHS) will lead to improved coordination both within HHS and across the broader federal government. This initiative will strengthen the partnership between the government and industry, fostering better collaboration in addressing cybersecurity challenges. It will also bolster HHS's incident response capabilities, enabling more effective and efficient responses to cyber threats. Additionally, the one-stop shop will promote greater utilization of government services and resources by providing easy access to technical assistance, vulnerability scanning, and other essential cybersecurity tools.
Related: What is cybersecurity in healthcare?
A ransomware attack is a type of cyberattack where malicious actors encrypt data on a victim's system and demand a ransom payment, typically in cryptocurrency, in exchange for restoring access to the data. Ransomware attacks have devastating consequences in the healthcare sector. They can disrupt critical operations, such as patient care and medical record management, leading to treatment delays and potentially compromising patient safety. Moreover, healthcare organizations often store sensitive patient information, making them lucrative targets for ransomware attackers seeking to extort money or steal data. The fallout from a ransomware attack can include financial losses, damage to reputation, and regulatory penalties for failing to safeguard patient data adequately.
See also:
HIPAA violations carry significant consequences, including civil monetary penalties ranging from $100 to $50,000 per violation, with an annual maximum of $1.5 million for identical provisions. Corrective action plans (CAPs) may also be required to address compliance deficiencies, along with resolution agreements that entail monetary settlements and corrective measures. Civil lawsuits can result in additional damages, while reputational damage and loss of eligibility for government programs are also concerns.
Go deeper: What are the consequences of not complying with HIPAA?
The goal is to centralize cybersecurity efforts, improve coordination among various HHS organizations, facilitate information sharing with industry partners, and enhance incident response capabilities.
Implementing robust security measures, conducting regular risk assessments, providing employee training on privacy and security protocols, and staying updated on regulatory changes are essential steps.
Learn more: What is the key to HIPAA compliance?