December 6, 2023


The Biden administration has unveiled a healthcare cybersecurity concept paper, emphasizing the need for increased funding and authority to address the rising threat of cyberattacks in the healthcare industry. The Department of Health and Human Services (HHS) outlined a plan that includes new Medicare program requirements, hospital incentive programs, and enhanced internal coordination to strengthen cybersecurity.

The concept paper highlights a significant surge in large healthcare data breaches, with a 93% increase from 2018 to 2022, along with a staggering 278% increase in ransomware-related incidents during the same period. To counter these threats, the HHS proposes four key steps:

  1. Establishing Voluntary Cybersecurity Goals:
    • Streamlining existing standards and guidelines with industry input.
    • Defining essential minimum goals and encouraging adoption of enhanced practices.
  2. Providing Resources and Incentives:
    • Collaborating with Congress to impose financial consequences for hospitals.
    • Introducing upfront investment programs for low-resourced hospitals and incentives for the broader sector.
  3. Implementing a Comprehensive Enforcement Strategy:
    • Proposing new cybersecurity requirements for hospitals through Medicare and Medicaid.
    • Updating the HIPAA Security Rule in spring 2024 to include cybersecurity requirements.
    • Seeking increased civil monetary penalties and enforcement related to HIPAA compliance.
  4. Expanding the HHS Cybersecurity Support Function:
    • Enhancing the healthcare cybersecurity support function within the Administration of Strategic Preparedness and Response (ASPR).
    • Facilitating industry access to government support and services, fostering coordination.

The HHS emphasizes the need to address cyber threats that endanger patient safety and erode trust in the healthcare system. The strategy aims to prepare hospitals, patients, and communities for better cybersecurity resilience. However, the American Hospital Association (AHA) expressed a guarded response, welcoming additional support but opposing mandatory cybersecurity requirements that could diminish hospital resources. The AHA pledged to collaborate with federal agencies and Congress to develop effective policies for preventing cyberattacks and protecting healthcare services and patient data