U.S. to unveil new cybersecurity rules for healthcare sector

WASHINGTON D.C., UNITED STATES — The United States government is set to introduce new regulations aimed at bolstering cybersecurity across the healthcare sector. 

These regulations will initially target hospitals, requiring them to implement minimum cybersecurity standards based on performance goals outlined by the Department of Health and Human Services (HHS) in January.

Deputy National Security Advisor Anne Neuberger announced the forthcoming regulations during an event in Washington, D.C., emphasizing that the administration has been working closely with healthcare sector groups and cybersecurity experts to develop them. 

“After COVID, it was a difficult time. More systems were rolled in. So, hospitals really do need to focus and double down on security,” she stated.

Focus on essential cybersecurity performance goals

The new regulations will focus on the “essential” cybersecurity performance goals (CPGs) issued by HHS. These goals include best practices such as multifactor authentication and strong encryption. 

While these CPGs were initially voluntary, the HHS budget proposal for fiscal 2025 includes financial penalties for hospitals that fail to meet these standards starting in fiscal 2029.

Addressing vulnerabilities in healthcare cybersecurity

The healthcare sector is considered one of the most vulnerable critical infrastructure sectors. Recent cyberattacks, such as the one on UnitedHealth Group’s Change Healthcare IT services unit, have highlighted the urgent need for improved cybersecurity measures. 

“Ensuring that hospitals can do a much better job in standing up against cyber threats that cause serious disruptions to patient care has really been a priority for the president,” Neuberger said.

Industry reactions and challenges

Industry leaders have expressed both support and concern regarding the new regulations. 

Mari Savickis, Vice president of public policy for the College of Healthcare Information Management Executives, noted that a big challenge in the regulations “is making sure that whatever they require actually moves the needle and accomplishes the outcomes we all want to see, which are fewer successful attacks, fewer impacts to patient care, and stronger cyber defenses.”

Other experts also argue that focusing solely on hospitals is insufficient, as other entities, such as health insurers and third-party vendors, also face significant cyber threats. 

Greg Garcia, Executive director of cybersecurity at the Healthcare and Public Health Sector Coordinating Council, stated that focusing solely on hospitals is insufficient, as other entities, such as health insurers and third-party vendors, also face significant cyber threats. 

The U.S. administration’s new healthcare cybersecurity rules mark a critical step towards enhancing the sector’s resilience against cyber threats. 

By establishing clear performance goals and preparing for enforceable standards, the administration aims to protect patient safety and ensure the continuity of healthcare services in the face of increasing cyberattacks.

New York’s proactive measures for hospital cybersecurity

In a related development, New York State has proposed its own set of cybersecurity regulations for hospitals. 

Announced by Governor Kathy Hochul, these regulations require state-licensed hospitals to establish comprehensive cybersecurity programs, policies, and procedures. 

The proposed regulations include requirements for risk assessments, incident response plans, and multifactor authentication, among others. 

Hospitals will have one year to comply with these new requirements, except for the immediate obligation to report cybersecurity incidents within two hours of detection.