Keynote Highlights Ongoing Partnerships and Healthcare Cybersecurity Challenges
The Safeguarding Health Information: Building Assurance through HIPAA Security 2024 conference, held on October 23 in Washington, D.C., brought together leading officials from the U.S. Department of Health and Human Services (HHS), the National Institute of Standards and Technology (NIST), and other agencies. The central theme of the event was the critical role of collaboration in enhancing healthcare cybersecurity. In her keynote address, Andrea Palm, Deputy Secretary of HHS, emphasized the long-standing partnership between the Office for Civil Rights (OCR) and NIST. Together, these agencies have worked to develop new tools and guidelines to help healthcare organizations build stronger cyber defenses and comply with the HIPAA Security Rule.
Palm pointed to the urgency of addressing cybersecurity in healthcare, noting the sharp rise in ransomware attacks, with a 264% increase in data breaches involving ransomware between 2018 and 2022. “The stakes are high, not just for safeguarding personal health information but also for patient safety,” Palm said. She highlighted how disruptions caused by cyberattacks—such as care delays, patient diversions, and compromised medical procedures—put lives at risk.
Strategic Focus on Accountability and Financial Support
Palm outlined the three guiding principles of HHS’ healthcare cybersecurity strategy moving forward: strengthening accountability, providing financial support, and enhancing coordination across government agencies. A key concern she raised was the financial vulnerability of rural healthcare facilities and critical access hospitals, which often lack the resources to invest in adequate cybersecurity measures. This disparity in resources has created a gap in how various healthcare facilities can protect their systems from growing cyber threats.
Palm also addressed the need to simplify the process of engaging with the federal government on cybersecurity issues. “There are simply too many doors when it comes to accessing federal cybersecurity resources, especially for under-resourced healthcare providers,” she explained. In response to these challenges, HHS has taken several steps, including releasing a concept paper in December 2023 outlining a comprehensive healthcare cybersecurity strategy. Additionally, HHS introduced Cybersecurity Performance Goals (CPGs) in January 2024 to help healthcare organizations prioritize key cybersecurity practices.
Financial Incentives and Strengthening Healthcare Cybersecurity Standards
Palm also touched on the financial resources available to healthcare organizations to strengthen their cybersecurity capabilities. She pointed out that the Administration for Strategic Preparedness and Response had awarded $240 million in funding through the Hospital Preparedness Program, allowing healthcare facilities to invest in cybersecurity measures. Further financial support is expected, with President Biden’s fiscal year 2025 budget request proposing $1.3 million in incentives to help hospitals bolster their defenses against cyberattacks.
In closing, Palm emphasized HHS’ commitment to increasing accountability within the healthcare sector and updating the HIPAA Security Rule to reflect modern cybersecurity standards. She also highlighted efforts to build a streamlined system—a one-stop shop—for healthcare cybersecurity resources. As the conference progressed, she expressed hope that the partnership between OCR, NIST, and industry stakeholders would lead to stronger cyber resilience across the country. “We must all do our part,” Palm stated. “The issue of cybersecurity is urgent for HHS, and it is vital for the safety of the patients we serve.”
