Skip to main content

Nixon Peabody LLP

  • People
  • Capabilities
  • Insights
  • About
Trending Topics
    • People
    • Capabilities
    • Insights
    • About
    • Locations
    • Events
    • Careers
    • Alumni
    Practices

    View All

    • Affordable Housing
    • Community Development Finance
    • Corporate & Finance
    • Cybersecurity & Privacy
    • Entertainment & Media
    • Environmental
    • Franchising & Distribution
    • Government Investigations & White Collar Defense
    • Healthcare
    • Intellectual Property
    • International Services
    • Labor, Employment, and Benefits
    • Litigation
    • Private Wealth & Advisory
    • Project Finance
    • Public Finance
    • Real Estate
    • Regulatory & Government Relations
    Industries

    View All

    • Aviation
    • Cannabis
    • Consumer
    • Energy
    • Financial Services
    • Healthcare
    • Higher Education
    • Infrastructure
    • Manufacturing
    • Nonprofit Organizations
    • Real Estate
    • Sports & Stadiums
    • Technology
    Value-Added Services

    View All

    • Alternative Fee Arrangements

      Developing innovative pricing structures and alternative fee agreement models that deliver additional value for our clients.

    • Continuing Education

      Advancing professional knowledge and offering credits for attorneys, staff and other professionals.

    • Crisis Advisory

      Helping clients respond correctly when a crisis occurs.

    • DEI Strategic Services

      Providing our clients with legal, strategic, and practical advice to make transformational changes in their organizations.

    • eDiscovery

      Leveraging law and technology to deliver sound solutions.

    • Environmental, Social, and Governance (ESG)

      We help clients create positive return on investments in people, products, and the planet.

    • Global Services

      Delivering seamless service through partnerships across the globe.

    • Innovation

      Leveraging leading-edge technology to guide change and create seamless, collaborative experiences for clients and attorneys.

    • IPED

      Industry-leading conferences focused on affordable housing, tax credits, and more.

    • Legal Project Management

      Providing actionable information to support strategic decision-making.

    • Legally Green

      Teaming with clients to advance sustainable projects, mitigate the effects of climate change, and protect our planet.

    • Nixon Peabody Trust Company

      Offering a range of investment management and fiduciary services.

    • NP Capital Connector

      Bringing together companies and investors for tomorrow’s new deals.

    • NP Second Opinion

      Offering fresh insights on cases that are delayed, over budget, or off-target from the desired resolution.

    • NP Trial

      Courtroom-ready lawyers who can resolve disputes early on clients’ terms or prevail at trial before a judge or jury.

    • Social Impact

      Creating positive impact in our communities through increasing equity, access, and opportunity.

    • Women in Dealmaking

      We provide strategic counsel on complex corporate transactions and unite dynamic women in the dealmaking arena.

    1. Home
    2. Insights
    3. Alerts
    4. HHS releases additional strategy to enhance cybersecurity for the healthcare sector

      Alerts

    Alert / Healthcare

    HHS releases additional strategy to enhance cybersecurity for the healthcare sector

    Dec 13, 2023

    LinkedInX (Twitter)EmailCopy URL

    By Laurie Cohen and Valerie MontagueGrace Connelly, a legal intern in Nixon Peabody's Healthcare practice and a 2024 JD candidate at Loyola University Chicago School of Law and assisted with the preparation of this alert.

    The Department of Health and Human Services outlines steps to strengthen cybersecurity in the healthcare industry.

    What’s the impact?

    • HHS plans to implement hospital incentive programs, new CMS cybersecurity requirements, and greater coordination to support enforcement and accountability.
    • Hospitals and health systems should expect updates to the HIPAA Security Rule in Spring 2024.
    • Both the federal government and private accreditation organizations are taking initiative to ensure appropriate cybersecurity practices are in place in the healthcare sector.

    DOWNLOAD

    PDF: Read more about HHS outlined steps

    The Department of Health and Human Services (HHS) released a concept paper on December 6, highlighting its next steps to bolster cybersecurity in the healthcare sector. Healthcare facilities have faced a 93% increase in large data breaches reported to the HHS Office for Civil Rights (OCR) from 2018 to 2022, including a 278% increase in breaches involving ransomware. HHS emphasized the particular vulnerability of hospitals and health systems in facing cyberattacks and the implications for patient safety and care. HHS believes the increase in data breaches and the risk to patient safety demands collaboration with Congress to develop new authority and funding to support hospital investment in cybersecurity.

    The concept paper builds upon the National Cybersecurity Strategy released by the Biden administration in March 2023. The strategy laid out the Federal Government’s approach to investing in the nation’s cyber defense, securing critical digital infrastructure, and collaborating with allies to hold countries accountable for dangerous behavior in the cyberspace. Biden noted that ransomware incidents have disrupted critical infrastructure, including hospitals.

    Following the National Cybersecurity Strategy, HHS collaborated with the healthcare industry to assess the current state of hospital cyber resilience and took immediate action using existing authorities and resources. HHS updated its voluntary healthcare-specific cybersecurity guidance to include the types of cybersecurity threats hospitals currently face. The Department also released free healthcare-specific cybersecurity trainings on topics such as ransomware, insider, accidental, or malicious data loss, and network-connected medical device attacks to instruct small and medium-sized healthcare facilities’ staff on essential cybersecurity practices. The Food and Drug Administration issued guidance on cybersecurity in medical devices that focuses on both premarket recommendations and requirements. Finally, OCR issued telehealth guidance in October to help educate patients about telehealth and the privacy and security of their protected health information.

    In the concept paper, HHS outlines four steps it will take to strengthen cybersecurity in healthcare. The first step is to establish voluntary cybersecurity goals for the healthcare sector. HHS will establish voluntary cybersecurity performance goals (CPGs) with input from the healthcare sector to eliminate any confusion caused by the numerous standards and guidance currently in place. The performance goals will include “essential” goals to serve as a minimum and “enhanced” goals that encourage more advanced practices.

    Second, HHS will work with Congress to provide resources to incentivize and implement these cybersecurity practices, including through financial support for investment in cybersecurity and enforcement of cybersecurity through financial consequences for hospitals. HHS has two visions: an upfront investments program to help high-need healthcare providers cover the costs of implementing CPGs and an incentives program to encourage all hospitals to invest in more advanced security practices.

    Third, HHS plans to implement a department-wide strategy to support greater enforcement and accountability, including proposed Centers for Medicare and Medicaid Services (CMS) cybersecurity requirements for hospitals through Medicare and Medicaid, as well as OCR cybersecurity updates, expected in the spring of 2024, to the HIPAA Security Rule. HHS plans to work with Congress to increase civil monetary penalties for HIPAA violations and increase resources available for HHS to enforce HIPAA compliance.

    Finally, HHS plans to expand and mature its cybersecurity support function within the Administration of Strategic Preparedness and Response (ASPR) to enhance coordination between HHS and the Federal Government, as well as facilitate industry access to the support and services the government offers.

    In addition to HHS’s proposed steps to enhance cybersecurity and support enforcement and accountability, hospitals and health systems should be aware of enforcement efforts coming from private organizations. On December 5, The Joint Commission launched its Responsible Use of Health Data (RUHD) Certification program. The RUHD Certification program, a voluntary program set to go into effect on January 1, 2024, will objectively evaluate whether an organization is using appropriate practices in its secondary use of health data or transfer of health data to third parties. As privacy concerns regarding the use of patient data grow, The Joint Commission is trying its hand at standardizing an approach to protecting patient data. While hospitals and health systems are currently subject to enforcement actions initiated by OCR, if an organization gets a RUHD certification from The Joint Commission and fails to implement the certification requirements, it might open itself up to additional liability in the event of a cyber incident.

    As cyber incidents in healthcare continue to rise, it is hoped that these initiatives will prompt hospitals and other healthcare providers to enhance data security and reduce cybersecurity risks.

    OCR Action

    Practices

    HealthcareHealth Information - Privacy, Security & Data SharingCybersecurity & Privacy

    Industries

    Healthcare

    Insights And Happenings

    • Alert

      California AG delivers DoorDash a broad interpretation of the CCPA

      March 6, 2024
    • Alert

      CIPA class action litigation: The new, expensive risk of data analytics software

      Feb 26, 2024
    • Alert

      HHS overhauls privacy rule for substance use disorder treatment records

      Feb 16, 2024
    The foregoing has been prepared for the general information of clients and friends of the firm. It is not meant to provide legal advice with respect to any specific matter and should not be acted upon without professional counsel. If you have any questions or require any further information regarding these or other related matters, please contact your regular Nixon Peabody LLP representative. This material may be considered advertising under certain rules of professional conduct.

    Subscribe to stay informed of the latest legal news, alerts, and business trends.Subscribe

    • People
    • Capabilities
    • Insights
    • About
    • Locations
    • Events
    • Careers
    • Alumni
    • Cookie Preferences
    • Privacy Policy
    • Terms of Use
    • Accessibility Statement
    • Statement of Client Rights
    • Purchase Order Terms & Conditions
    • Nixon Peabody International LLC
    • PAL
    © 2025 Nixon Peabody. All rights reserved