Officials from HHS and NIST focused on the importance of collaboration to enhance healthcare cybersecurity during the first day of the Safeguarding Health Information conference.
What happened
On October 23, 2024, during a keynote presentation at the Safeguarding Health Information: Building Assurance through HIPAA Security 2024 conference, HHS Deputy Secretary Andrea Palm reiterated the Office for Civil Rights (OCR) and the National Institute of Standards and Technology (NIST) working together to improve healthcare cybersecurity.
Palm reported a staggering 264% increase in data breaches involving ransomware from 2018 to 2022, emphasizing collaboration among government agencies. Furthermore, Palm identified three principles for HHS’s cybersecurity strategy:
- Strengthening accountability among all healthcare entities.
- Supporting the sector financially with investments in under-resourced facilities like rural hospitals and clinics.
- Improving federal coordination for cybersecurity, especially for low-resourced providers.
Going deeper
While previous HHS and NIST initiatives have set the foundation for healthcare cybersecurity, more recent efforts include strategic documents outlining cybersecurity goals and standards.
More specifically, the HHS released a concept paper outlining its healthcare cybersecurity strategy in December 2023. One month later, the HHS issued cybersecurity performance goals (CPGs) for healthcare organizations.
Learn more: Upcoming 2024 HIPAA updates and changes
What was said
Palm stated, "For years, we have worked together to develop new tools, guidance, and resources to help organizations build their cyber defenses, comply with the HIPAA Security Rule, and improve their resilience."
She also noted, “If we fail to meet this challenge, we are not only risking personally identifiable health information but the safety of the patients that we all serve.”
By the numbers
- 264% increase in data breaches involving ransomware from 2018 to 2022.
- $240 million in funding for cybersecurity through the Hospital Preparedness Program.
- $1.3 million in financial incentives for hospitals proposed under President Biden’s FY 2025.
Why it matters
Protected health information (PHI) is a major target in healthcare cyberattacks, with threat actors exploiting cybersecurity vulnerabilities for financial gain. Therefore, collaboration between agencies like HHS and NIST will improve security measures, protecting patients and healthcare infrastructure.
FAQs
What is a data breach?
A breach occurs when an unauthorized party gains access, uses or discloses protected health information (PHI) without permission. Breaches include hacking, losing a device containing PHI, or sharing information, like email login credentials, with unauthorized individuals.
Who needs to comply with HIPAA?
HIPAA compliance is required for covered entities, such as healthcare providers, health plans, and healthcare clearinghouses, as well as their business associates who handle PHI.
Related: HIPAA Compliant Email: The Definitive Guide
What are the penalties for violating HIPAA regulations?
Civil penalties for HIPAA violations can include fines ranging from $100 to $50,000, with an annual maximum of $1.5 million per violation. Criminal penalties are applied when HIPAA violations are knowingly committed, with increased fines and imprisonment.
