Healthcare-specific cybersecurity performance goals (CPGs) and the establishment of a cybersecurity gateway are among several ways that the Department of Health and Human Services (HHS) is protecting against threats as cyberattacks on the healthcare industry rise.
Ransomware attacks against the healthcare sector in the United States were up 128 percent last year, claiming 258 victims in 2023 compared to 113 in 2022, according to the Office of the Director of National Intelligence (ODNI).
As attacks continue to increase domestically and worldwide, HHS has been working to strengthen cybersecurity in the healthcare sector, said Brian Mazanec, the deputy director of HHS’s Office of Preparedness Administration for Strategic Preparedness and Response (ASPR), during a Nextgov/FCW and Washington Technology event on Aug. 16.
Electronic health records (EHR), an electronic version of a patient’s medical history, are often “either directly attacked or otherwise forced to go offline,” which significantly impacts healthcare providers’ ability to access and use patient records, Mazanec said.
Cyberattacks on EHR systems can result in delayed medical procedures, disrupted care, rescheduled appointments, and strained acute care capacity.
Mazanec explained that this is especially impactful to smaller rural clinics where cybersecurity may not be a top priority due to limited IT resources. HHS’s healthcare-specific CPGs are helpful for “less well-resourced entities in the healthcare system,” he said.
HHS released its CPGs earlier this year, which include implementing multi-factor authentication, managing third-party supply chain risks, and having an incident response plan.
The agency also launched a new gateway website, HHScyber.gov, in January to streamline how healthcare providers can engage with the government on cybersecurity. The website is currently undergoing a “building out” of “functionality aligned to the CPGs,” Mazanec said.
Other preventative solutions include having good backup systems and procedures in place, being able to revert to paper-based records and downtime procedures when EHR systems are disrupted and training younger clinicians on using paper records. Mazanec noted that cloud-based EHR systems may be able to navigate attacks differently than local EHR systems.
Possible incident response solutions include investing in “pop-up” EHR systems that enable faster recovery and restoration of data.
“From an incident response perspective, is there a technology that we can acquire – the Federal government or industry – that gives you like a pop-up EHR, [which could be] better than paper or downtime that you can shift to if your primary system is down,” said Mazanec, explaining that new technology could allow for faster recovery and uploading of records once the system is back online.
HHS also partners with the FBI, Department of Defense, and Cybersecurity and Infrastructure Security Agency to support incident response and disrupt cyber adversaries.
