HHS Talks Cyber Strategy as Healthcare Threats Rise

The healthcare sector has been a growing target for cyber-attacks. Such attacks can disrupt hospitals from providing care, make it harder to obtain patient records, and even expose patient information. Recently, cyber leaders within the Department of Health and Human Services (HHS) are going public with cyber initiatives to help safeguard the nation’s healthcare system from cyber threats. 

Focus on Information Sharing

At the Billington Cybersecurity Summit in Washington, DC, HHS Chief Information Officer (CIO) Karl Mathias reviewed some of the HHS cyber strategy. In particular, he discussed a two-pronged approach to tackling risk by expanding real-time threat operations and improving cyber information sharing with other agencies, hospitals, medical manufacturers, and others. 

“We cannot be scared of sharing the data we have,” CIO Mathias said at the conference as reported by Government Executive. “We can’t let fear of the security issue prevent us from solving the problem.” 

The focus on information sharing comes after a Government Accountability Office (GAO) report in 2021 said that HHS could improve collaboration efforts with both public and private partners.

CIO Mathias said the agency’s motto for cyber has become “Share as much as you can, recognize when you should and apply the cybersecurity principles to that data.”

CIO Mathias also cited the important work of the HHS 405(d) program which includes a task force of over 200 cyber and healthcare experts to talk response efforts and best practices.

HHS is also collaborating more with the Cybersecurity and Infrastructure Security Agency (CISA), the Department of Defense (DOD), and the Department of Veterans Affairs (VA) to ramp up efforts to mitigate ransomware attacks.

HIMSS Healthcare Cybersecurity Forum

Meanwhile, other HHS cyber leaders spoke at the Healthcare Information and Management Systems Society (HIMSS) Healthcare Cybersecurity Forum.

Officials from the Administration for Strategic Preparedness and Response (ASPR), the Office for Civil Rights (OCR), and the 405(d) Program discussed their plans and priorities over the coming years.

For ASPR, which is the healthcare sector’s designated Sector Risk Management Agency (SRMA), the focus is on expanding capabilities by building out an SMRA cyber division, as well as new technology to better track, analyze, and report cyber incidents.

OCR, which investigates potential HIPAA violations due to breaches, will be focused on managing its complaint volume and following through with investigations. It will also provide resources to help entities understand HIPAA rules.

“We receive a lot of complaints. We're on track for well over 30,000 complaints that people have submitted to us regarding potential violations of their privacy or security of health information,” said Nicholas Heesters, senior advisor for cybersecurity at OCR.

This comes as HHS recently previewed a project it is working on in its Advanced Research Projects Agency for Health (ARPA-H). The Digital Health Security Project, or Digiheals, asked researchers and technologists to submit proposals for tools specifically designed to protect healthcare systems from cyber threats. Responses were due by September 7, 2023.