Skip to main content

HHS Tells Health Systems: Get Serious About Cybersecurity

Analysis  |  By Eric Wicklund  
   December 29, 2023

Federal officials have unveiled a new strategy to address rising cybersecurity incidents. It includes incentives to improve data security, beefed-up guidelines, and the potential for cuts in reimbursement.

With cybersecurity incidents occurring on an almost-daily basis in the healthcare sector, federal regulators are looking to take a more active role in improving data security.

The Health and Human Services Department has released a new strategy for cybersecurity, centered on four steps aimed at improving the healthcare landscape. The six-page document builds off of the Biden administration’s National Cybersecurity Strategy, which was unveiled last March, and follows recent actions taken by federal agencies to boost security, including the release of healthcare-specific practices and training resources, guidance on medical device security from the US Food and Drug Administration, and new telehealth guidelines from the HHS Office of Civil Rights (OCR).

“The healthcare sector is particularly vulnerable, and the stakes are especially high,” HHS Secretary Javier Becerra said in a release accompanying the strategy. “Our commitment to this work reflects that urgency and importance. HHS is working with healthcare and public health partners to bolster our cyber security capabilities nationwide.”

The information comes at a particularly vulnerable time for the healthcare industry, which has seen an alarming increase in large data breaches and ransomware attacks in recent months. According to the OCR, the industry has seen an almost two-fold increase in large breaches from 2018 to 2022, from 369 incidents to 712, while ransomware attacks have surged 278% in that time.

“Cyber incidents affecting hospitals and health systems have led to extended care disruptions caused by multi-week outages; patient diversion to other facilities; and strain on acute care provisioning and capacity, causing cancelled medical appointments, non-rendered services, and delayed medical procedures (particularly elective procedures),” the HHS report notes. “More importantly, they put patients’ safety at risk and impact local and surrounding communities that depend on the availability of the local emergency department, radiology unit, or cancer center for life-saving care.”

With that in mind, HHS is planning to take a more active role in pushing the healthcare industry to improve its defenses. The agency plans to:

  1. Establish voluntary cybersecurity performance goals for the healthcare sector;
  2.  Provide resources to incentivize and implement these cybersecurity practices;
  3.  Implement an HHS-wide strategy to support greater enforcement and accountability; and
  4.  Expand and mature the one-stop shop within HHS for healthcare sector cybersecurity.


Of particular note are the financial incentives that the government will be offering to health systems who need help becoming more secure. According to the report, the HHS will be launching a program to help struggling hospitals cover the up-front costs of installing “essential” cybersecurity performance goals (CPGs), and a program that offers incentives for hospitals to invest in advanced cybersecurity practices to implement “advanced” CPGs.

In addition, the HHS strategy will include new cybersecurity requirements for hospitals that will be enforced through the Centers for Medicare & Medicaid Services (CMS), an indication that the feds could tie compliance to Medicare and Medicaid reimbursements. As well, the OCR is scheduled to update the Health Insurance Portability and Accountability (HIPAA) Security Rule this coming spring to include cybersecurity requirements.

Not everyone is on board with the HHS strategy. Chris Bowen, founder and chief information security officer for ClearDATA, says the industry should get even tougher.

“While a gesture towards progress, [the strategy] falls critically short of what's imperative in today's climate,” he said in an e-mail to HealthLeaders. “Suggesting voluntary measures is akin to applying a band-aid on a hemorrhage, it's time for HHS to enforce rigorous, non-negotiable cybersecurity standards and to provide the necessary resources and mandates.”

“The sector's talent gap in cybersecurity is no secret, and it places our hospitals at a disadvantage, jeopardizing patient safety,” he adds. “We must look to the strategies of those who have robustly safeguarded healthcare data and replicate their assertive approach. Protecting lives extends beyond the physical realm; it encompasses shielding patients from the lethal threat of cyber-attacks. To accept minimum, voluntary standards is to tacitly endorse a status quo that endangers our patients.”

Eric Wicklund is the associate content manager and senior editor for Innovation at HealthLeaders.


Healthcare cybersecurity incidents have increased almost twofold since 2018, while ransomware attacks have surged close to 300%.

The Health and Human Services Department has followed up on the Biden Administration’s March 2023 National Cybersecurity Strategy with a six-page, healthcare-specific plan that indicates the agency will play a more active role in helping health systems become more secure.

The strategy includes new guidelines issued through CMS and HIPAA and incentives for struggling hospitals who need help improving their defenses.

Get the latest on healthcare leadership in your inbox.