HHS Announces Upcoming Strategies to Enhance Cybe

HHS Announces Upcoming Federal Strategies to Enhance Cybersecurity for Health Care and Public Health Sectors

The Department of Health and Human Services ("HHS") has released a concept paper outlining its new cybersecurity strategies for the health care sector, identifying cybersecurity priorities, potential future regulations and expectations of industry practices, and possible future enforcement.

In December 2023, HHS released a paper outlining new cybersecurity strategies for the health care sector to improve cyber resiliency. Although this paper does not establish express regulatory requirements, it identifies HHS's cybersecurity priorities and previews potential future regulations. The paper noted a 93% increase in large breaches reported to the Office of Civil Rights ("OCR"); and a 278% increase in large breaches involving ransomware, from 2018 to 2022. To combat this trend, HHS outlines four categories for action:

  • Voluntary Health Care and Public Health Sector Cybersecurity Performance Goals (HPH CPGs). Augmenting current applicable requirements, such as Health Insurance Portability and Accountability Act ("HIPAA"), HHS will establish sector-specific cybersecurity "essential" and "enhanced" performance goals setting minimum and advanced practices, respectively. 
  • Resources to Incentivize and Implement Cybersecurity Practices. HHS will work with Congress to obtain and administer funding for hospital cybersecurity investment and enforce requirements through financial penalties. 
  • HHS-Wide Strategy to Support Greater Enforcement and Accountability. HHS intends to incorporate HPH CPGs into existing regulations and programs, including via Medicare and Medicaid requirements and OCR updates to the HIPAA Security Rule.
  • Expand and Mature "One-Stop Shop" Within HHS for Health Care Sector Cybersecurity. HHS aims to "mature" its cybersecurity support function within the Administration of Strategic Preparedness and Response to enhance accessibility to resources and foster coordination between federal departments and the industry. 

The paper is consistent with increased focus on health data privacy and cybersecurity across federal agencies, building on HHS publications on privacy and tracking technologies, first-of-its-kind federal enforcement, and new state privacy laws. Whereas health data regulations have historically allowed a flexible approach to how cybersecurity practices are implemented, the paper and referenced upcoming Centers for Medicare and Medicaid Services ("CMS") and OCR proposed actions indicate a concerted effort to establish more standardized requirements to set a "clear direction for [the] industry" and "inform potential future regulatory action[.]" Consistent with this approach, HHS's goals to gather funding and foster investment indicate its intention to pursue enforcement more vigorously with potential higher expectations of industry practices. 

Industry stakeholders should consider:

  • Reviewing their cybersecurity practices, especially in relation to the HPH CPGs;
  • Commenting on upcoming proposed actions relating to cybersecurity requirements (e.g., CMS and OCR proposed rules);
  • Investing in basic, advanced, and risk mitigation cybersecurity practices in advance of enforcement; and
  • Reviewing resources across federal departments including the HHS and Federal Trade Commission.
Insights by Jones Day should not be construed as legal advice on any specific facts or circumstances. The contents are intended for general information purposes only and may not be quoted or referred to in any other publication or proceeding without the prior written consent of the Firm, to be given or withheld at our discretion. To request permission to reprint or reuse any of our Insights, please use our “Contact Us” form, which can be found on our website at This Insight is not intended to create, and neither publication nor receipt of it constitutes, an attorney-client relationship. The views set forth herein are the personal views of the authors and do not necessarily reflect those of the Firm.