How HHS has strengthened cybersecurity of hospitals and health care systems | CyberScoop<\/title> <link rel=\"canonical\" href=\"https:\/\/cyberscoop.com\/hhs-cybersecurity-health-care-systems-hospitals\/\"> <meta property=\"og:locale\" content=\"en_US\"> <meta property=\"og:type\" content=\"article\"> <meta property=\"og:title\" content=\"How HHS has strengthened cybersecurity of hospitals and health care systems\"> <meta property=\"og:description\" content=\"The agency has embraced performance goals, provided resources to small systems and improved coordination, its deputy secretary writes.\"> <meta property=\"og:url\" content=\"https:\/\/cyberscoop.com\/hhs-cybersecurity-health-care-systems-hospitals\/\"> <meta property=\"og:site_name\" content=\"CyberScoop\"> <meta property=\"article:published_time\" content=\"2025-01-17T11:00:00+00:00\"> <meta property=\"article:modified_time\" content=\"2025-01-16T16:24:03+00:00\"> <meta property=\"og:image\" content=\"https:\/\/ddi.mohflo.net\/wp-content\/uploads\/2025\/01\/how-hhs-has-strengthened-cybersecurity-of-hospitals-and-health-care-systems-2.jpg\"> <meta property=\"og:image:width\" content=\"1024\"> <meta property=\"og:image:height\" content=\"683\"> <meta property=\"og:image:type\" content=\"image\/jpeg\"> <meta name=\"author\" content=\"mbracken\"> <meta name=\"twitter:card\" content=\"summary_large_image\">  <link rel=\"dns-prefetch\" href=\"\/\/securepubads.g.doubleclick.net\">\n<link rel=\"dns-prefetch\" href=\"\/\/use.typekit.net\">\n<link rel=\"alternate\" type=\"application\/rss+xml\" title=\"CyberScoop \u00bb Feed\" href=\"https:\/\/cyberscoop.com\/feed\/\">\n<link rel=\"alternate\" type=\"application\/rss+xml\" title=\"CyberScoop \u00bb Comments Feed\" href=\"https:\/\/cyberscoop.com\/comments\/feed\/\"> <link rel=\"stylesheet\" id=\"all-css-2\" href=\"https:\/\/cyberscoop.com\/wp-includes\/css\/dist\/block-library\/style.min.css?m=1732206022g\" type=\"text\/css\" media=\"all\"> <link rel=\"stylesheet\" id=\"all-css-6\" href=\"https:\/\/cyberscoop.com\/wp-content\/mu-plugins\/search\/elasticpress\/dist\/css\/related-posts-block-styles.min.css?m=1736472020g\" type=\"text\/css\" media=\"all\"> <link rel=\"stylesheet\" id=\"all-css-8\" href=\"https:\/\/cyberscoop.com\/wp-content\/themes\/scoopnewsgroup\/dist\/css\/frontend.css?m=1737070850g\" type=\"text\/css\" media=\"all\">\n<link rel=\"stylesheet\" id=\"typekit-css\" href=\"https:\/\/use.typekit.net\/itk2qbh.css?ver=cc5cb8dd0a9ba2b865c4\" media=\"all\"> <link rel=\"https:\/\/api.w.org\/\" href=\"https:\/\/cyberscoop.com\/wp-json\/\"><link rel=\"alternate\" title=\"JSON\" type=\"application\/json\" href=\"https:\/\/cyberscoop.com\/wp-json\/wp\/v2\/posts\/83168\"><link rel=\"EditURI\" type=\"application\/rsd+xml\" title=\"RSD\" href=\"https:\/\/cyberscoop.com\/xmlrpc.php?rsd\">\n<meta name=\"generator\" content=\"WordPress 6.7.1\">\n<link rel=\"shortlink\" href=\"https:\/\/cyberscoop.com\/?p=83168\">\n<link rel=\"alternate\" title=\"oEmbed (JSON)\" type=\"application\/json+oembed\" href=\"https:\/\/cyberscoop.com\/wp-json\/oembed\/1.0\/embed?url=https%3A%2F%2Fcyberscoop.com%2Fhhs-cybersecurity-health-care-systems-hospitals%2F\">\n<link rel=\"alternate\" title=\"oEmbed (XML)\" type=\"text\/xml+oembed\" href=\"https:\/\/cyberscoop.com\/wp-json\/oembed\/1.0\/embed?url=https%3A%2F%2Fcyberscoop.com%2Fhhs-cybersecurity-health-care-systems-hospitals%2F&format=xml\">   <link rel=\"icon\" href=\"https:\/\/cyberscoop.com\/wp-content\/uploads\/sites\/3\/2023\/01\/cropped-cs_favicon-2.png?w=32\" sizes=\"32x32\">\n<link rel=\"icon\" href=\"https:\/\/cyberscoop.com\/wp-content\/uploads\/sites\/3\/2023\/01\/cropped-cs_favicon-2.png?w=192\" sizes=\"192x192\">\n<link rel=\"apple-touch-icon\" href=\"https:\/\/cyberscoop.com\/wp-content\/uploads\/sites\/3\/2023\/01\/cropped-cs_favicon-2.png?w=180\">\n<meta name=\"msapplication-TileImage\" content=\"https:\/\/cyberscoop.com\/wp-content\/uploads\/sites\/3\/2023\/01\/cropped-cs_favicon-2.png?w=270\"> <\/head><body class=\"post-template-default single single-post postid-83168 single-format-standard\" id=\"readabilityBody\"> <a href=\"https:\/\/cyberscoop.com\/hhs-cybersecurity-health-care-systems-hospitals\/#main\" class=\"skip-to-content-link visually-hidden-focusable\">Skip to main content<\/a> <\/p>\n<div class=\"ad ad--top ad--top-desktop\">\n<div class=\"ad__inner\"> <span class=\"screen-reader-text\">Advertisement<\/span> <\/div>\n<\/div>\n<p> <main id=\"main\" role=\"main\" tabindex=\"-1\"> <\/p>\n<div class=\"ad ad--top ad--top-mobile\">\n<div class=\"ad__inner\"> <span class=\"screen-reader-text\">Advertisement<\/span> <\/div>\n<\/div>\n<section id=\"stickybar\" class=\"stickybar stickybar--event js-stickybar\">\n<div class=\"stickybar__details\" readability=\"5.12\">\n<div class=\"stickybar__info js-sticky-bar-content\" readability=\"32\">\n<p>Nominations can be submitted for the 2025 CyberScoop 50 awards!<\/p>\n<\/div>\n<p> <a class=\"stickybar__link button button-tertiary\" href=\"https:\/\/cyberscoop.com\/cyberscoop50\/\">Click here!<\/a> <\/div>\n<p> <button class=\"stickybar__close js-stickybar-close\" aria-controls=\"stickybar\"> <svg class=\"icon icon--close\" width=\"21\" height=\"22\" viewBox=\"0 0 21 22\" fill=\"none\"><path d=\"m.822.518-.805.805L9.695 11 .017 20.678l.805.805 9.678-9.678 9.677 9.678.806-.805L11.305 11l9.678-9.677-.806-.805-9.677 9.677L.822.518Z\" fill=\"currentColor\" \/><\/svg> <span class=\"visually-hidden\">Close<\/span> <\/button> <\/section>\n<article class=\"single-article content\">\n<div class=\"single-article__container js-single-article-content\">\n<header class=\"single-article__header \" readability=\"26.465053763441\">\n<div class=\"single-article__header-content\" readability=\"36.039312039312\">\n<ul class=\"single-article__eyebrow\">\n<li class=\"single-article__category\"> <a class=\"single-article__category-link\" href=\"https:\/\/cyberscoop.com\/hhs-cybersecurity-health-care-systems-hospitals\/\"> <span>Commentary<\/span> <\/a> <\/li>\n<\/ul>\n<p> The agency has embraced performance goals, provided resources to small systems and improved coordination, its deputy secretary writes. <\/p>\n<p>  <br \/>\n<audio id=\"audio-player\" src=\"https:\/\/wp-tts-cdn.api.scpnewsgrp.com\/cyberscoop\/83168\/english.openai.mp3\"><\/audio> <\/p>\n<div readability=\"11\">\n<div>\n<p>Listen to this article<\/p>\n<p>  <\/p>\n<p>0:00<\/p>\n<\/p><\/div>\n<p>  <\/p>\n<p> <span id=\"tts-tooltip\">Learn more.<\/span> <span> This feature uses an automated voice, which may result in occasional errors in pronunciation, tone, or sentiment. <\/span> <\/p>\n<\/div>\n<p>  <\/div>\n<div class=\"single-article__cover-wrap\">\n<figure class=\"single-article__cover\"> <img data-recalc-dims=\"1\" fetchpriority=\"high\" width=\"640\" height=\"427\" src=\"https:\/\/i0.wp.com\/ddi.mohflo.net\/wp-content\/uploads\/2025\/01\/how-hhs-has-strengthened-cybersecurity-of-hospitals-and-health-care-systems.jpg?resize=640%2C427&ssl=1\" class=\"single-article__cover-image wp-post-image\" alt decoding=\"async\" fetchpriority=\"high\" srcset=\"https:\/\/ddi.mohflo.net\/wp-content\/uploads\/2025\/01\/how-hhs-has-strengthened-cybersecurity-of-hospitals-and-health-care-systems-2.jpg 1024w, https:\/\/ddi.mohflo.net\/wp-content\/uploads\/2025\/01\/how-hhs-has-strengthened-cybersecurity-of-hospitals-and-health-care-systems-2.jpg?resize=300,200 300w, https:\/\/ddi.mohflo.net\/wp-content\/uploads\/2025\/01\/how-hhs-has-strengthened-cybersecurity-of-hospitals-and-health-care-systems-2.jpg?resize=768,512 768w, https:\/\/ddi.mohflo.net\/wp-content\/uploads\/2025\/01\/how-hhs-has-strengthened-cybersecurity-of-hospitals-and-health-care-systems-2.jpg?resize=600,400 600w, https:\/\/ddi.mohflo.net\/wp-content\/uploads\/2025\/01\/how-hhs-has-strengthened-cybersecurity-of-hospitals-and-health-care-systems-2.jpg?resize=252,168 252w, https:\/\/ddi.mohflo.net\/wp-content\/uploads\/2025\/01\/how-hhs-has-strengthened-cybersecurity-of-hospitals-and-health-care-systems-2.jpg?resize=505,337 505w, https:\/\/ddi.mohflo.net\/wp-content\/uploads\/2025\/01\/how-hhs-has-strengthened-cybersecurity-of-hospitals-and-health-care-systems-2.jpg?resize=1012,675 1012w\" sizes=\"(max-width: 1012px) 100vw, 1012px\"><figcaption> The headquarters of the Department of Health and Human Services in Washington, D.C., on Nov. 18, 2024. (Photo by ROBERTO SCHMIDT\/AFP via Getty Images) <\/figcaption><\/figure>\n<\/p><\/div>\n<\/header>\n<div class=\"single-article__content\">\n<div class=\"single-article__content-inner has-drop-cap\"> <html readability=\"59.527359684906\"><body readability=\"120\"><\/p>\n<p>Hospitals and health systems across the country are experiencing a significant rise in cyberattacks. These cyber incidents have caused extended disruptions, patient diversion to other facilities, and the cancellation of medical appointments and procedures \u2014 all of which undermine patient care and safety. These attacks also expose vulnerabilities in our health care system and degrade patient trust. The more they happen, and the longer they last, the more dangerous and expensive they become.<\/p>\n<p>From the onset, the U.S. Department of Health and Human Services has been clear-eyed about the need for aggressive action, working hand-in-glove with hospitals and health care systems to create sustainable, actionable policies that improve cyber resiliency across the health sector. Over the past four years, HHS has taken numerous steps to deal with the growing increase of cyberattacks on our hospitals and health care systems. The actions taken fall under three categories: policy and regulation, resources, and sector coordination. <\/p>\n<p>In the first category, we developed and executed a department-wide strategy to increase enforcement and accountability in the sector, which outlined voluntary cybersecurity performance goals. These CPGs help health care organizations prioritize the implementation of high-impact cybersecurity practices to better protect the sector from cyberattacks, improve response when events do occur, and minimize risk. <\/p>\n<p>As part of this, HHS provided updates to the HIPAA Security Rule, which provides new cybersecurity requirements that all HIPPA-covered entities and their associates must follow. The rule would help ensure that doctors, health plans, and others providing health care meet their obligations to protect the security of individuals\u2019 protected health information. The Food & Drug Administration implemented new pre-market cybersecurity requirements for all new medical devices. And the Centers for Medicare and Medicaid Services took steps to enhance cybersecurity among payers, clearinghouse, pharmacy switches, and clinical laboratories. <\/p>\n<div class=\"ad ad--inline_1 \">\n<div class=\"ad__inner\"> <span class=\"screen-reader-text\">Advertisement<\/span> <\/div>\n<\/div>\n<p>Second, we identified new resources to help small and under-resourced organizations implement cybersecurity practices. In 2024, HHS announced $240 million in hospital preparedness funding with a significant focus on cybersecurity. In addition to this downpayment on our cybersecurity preparedness, ARPA-H is investing more than $50 million in new technology to improve the patching of security vulnerabilities. We are also aware that cyber incidents can impact our providers, so CMS established infrastructure to advance payments to ensure hospitals remain solvent in the event billing services are halted. As part of the effort to incentivize and help hospitals implement the best high-impact cybersecurity practices, HHS released a $1.3 billion-dollar legislative proposal to fund programs through Medicare. This funding, if appropriated, would enable hospitals to upgrade legacy technology, build and improve vulnerability management programs, and mitigate their third-party risks. <\/p>\n<p>Third, the Administration for Strategic Preparedness and Response is working to improve cybersecurity coordination within HHS and the federal government, deepen HHS and the federal government\u2019s partnership with industry, improve timely information-sharing and incident response activities, and increase uptake of government support and services. This includes our ongoing efforts at HHS to build out a one-stop shop for health care sector cybersecurity. <\/p>\n<p>In addition to these large-scale efforts, we\u2019ve also provided immediate resources \u2014 including free cyber awareness training to help employees understand best practices \u2014 and released the first-ever nationwide cybersecurity risk-mapping exercise for the health care sector to identify key vulnerabilities across critical functions of the system. <\/p>\n<p>While this list is far from exhaustive, it captures some of the significant work undertaken by the Biden administration these past four years. But the work is far from over. Cyberattacks can have devastating impacts on patient safety and care, making cybersecurity of critical importance to our national security. Health care cybersecurity is an issue ripe for bipartisanship. We hope and anticipate the next administration shares this belief and continues to work across the aisle to find commonsense, sustainable solutions for this pressing issue. <\/p>\n<p>For a cybersecurity strategy in the health care sector to be successful, there are few lessons that policy officials and lawmakers must keep in mind: <\/p>\n<div class=\"ad ad--inline_1 \">\n<div class=\"ad__inner\"> <span class=\"screen-reader-text\">Advertisement<\/span> <\/div>\n<\/div>\n<p>We must invest in our under-resourced and rural organizations. It is clearer than ever that our entire health care system needs to elevate its cybersecurity. As Congress deliberates cybersecurity legislation, and as cybersecurity resources further develop for the sector, our government must ensure that our smaller, under-resourced organizations improve their cyber resiliency, whether that be through direct funding or technical assistance centers. <\/p>\n<p>We must utilize artificial intelligence to help guide organizations. The use of AI models in health care will continue to expand as organizations continue to integrate this technology into their operations. With this reality, it is imperative that HHS continue to help build the resources and guidance necessary to help health care organizations assess the security implications of new AI tools. <\/p>\n<p>We must maintain a sector-wide approach to cybersecurity. It is not enough to secure only our hospitals and medical devices \u2014 health care, more than any other critical infrastructure sector, relies on thousands of interconnected technologies and organizations to function. HHS must continue to be vigilant in assessing and mitigating risks everywhere, whether that be in medical clearinghouses, public health departments, e-prescribing software, or delivery networks of critical medical supplies. Because of this interconnectedness, every part of the ecosystem must do their part to build and maintain cyber resilience. <\/p>\n<p>Bad actors have been increasingly sophisticated in their efforts to breach sensitive patient data and interrupt health care operations, making cyberattacks one of the top national security issues our country faces. HHS has responded to these challenges with concrete steps that help to ensure patient safety and ongoing functioning of our health care system. We have put in place the foundation for an ongoing effort to strengthen cybersecurity that HHS will be able to use for years to come.<\/p>\n<p><em>Andrea Palm is deputy secretary of the Department of Health and Human Services. In her role at HHS, she is the chief operating officer and responsible for overseeing the day-to-day operations of the department. <\/em><\/p>\n<p><\/body> <\/p>\n<footer class=\"single-article__footer\" readability=\"2.0409836065574\">\n<div class=\"author-card\" readability=\"10\">\n<div class=\"author-card__avatar\">\n<figure class=\"author-card__image-wrap\"> <img data-recalc-dims=\"1\" decoding=\"async\" class=\"author-card__image\" src=\"https:\/\/i0.wp.com\/ddi.mohflo.net\/wp-content\/uploads\/2025\/01\/how-hhs-has-strengthened-cybersecurity-of-hospitals-and-health-care-systems-1.jpg?w=640&ssl=1\" alt=\"Andrea Palm\"> <\/figure>\n<\/p><\/div>\n<p><h4 class=\"author-card__name\">Written by Andrea Palm<\/h4>\n<p> Andrea Palm is deputy secretary of the Department of Health and Human Services. In her role at HHS, she is the chief operating officer and responsible for overseeing the day-to-day operations of the department. <\/p>\n<\/p><\/div>\n<div class=\"single-article__tags-container\">\n<h4 class=\"single-article__tags-title\">In This Story<\/h4>\n<\/p><\/div>\n<\/footer>\n<p> <\/html><\/div>\n<\/p><\/div>\n<\/p><\/div>\n<div class=\"single-article__ads js-single-article-sidebar\">\n<div class=\"ad ad--sidebar js-single-article-sidebar-5 ad--rightrail_1 \">\n<div class=\"ad__inner\"> <span class=\"screen-reader-text\">Advertisement<\/span> <\/div>\n<\/div>\n<div class=\"ad ad--sidebar js-single-article-sidebar-4 ad--rightrail_2 \">\n<div class=\"ad__inner\"> <span class=\"screen-reader-text\">Advertisement<\/span> <\/div>\n<\/div>\n<div class=\"ad ad--sidebar js-single-article-sidebar-3 ad--rightrail_3 \">\n<div class=\"ad__inner\"> <span class=\"screen-reader-text\">Advertisement<\/span> <\/div>\n<\/div><\/div>\n<\/article>\n<div class=\"popular-stories popular-stories--single-post\">\n<div class=\"popular-stories__container\">\n<h2 class=\"popular-stories__title\"> More Scoops <\/h2>\n<p>  <\/div>\n<p>\n<\/div>\n<p> <\/p>\n<section class=\"latest-podcasts\">\n<h2 class=\"latest-podcasts__title\"> Latest Podcasts\t<\/h2>\n<\/section>\n<div class=\"top-categories\">\n<div class=\"top-categories__container\">\n<h3 class=\"top-categories__category-title\">Government<\/h3>\n<\/p><\/div>\n<div class=\"top-categories__container\">\n<h3 class=\"top-categories__category-title\">Technology<\/h3>\n<\/p><\/div>\n<div class=\"top-categories__container\">\n<h3 class=\"top-categories__category-title\">Geopolitics<\/h3>\n<\/p><\/div>\n<\/p><\/div>\n<p> <\/main> <\/p>\n<div class=\"ad ad--bottom \">\n<div class=\"ad__inner\"> <span class=\"screen-reader-text\">Advertisement<\/span> <\/div>\n<\/div>\n<div id=\"interstitial\" class=\"welcome__container\"> <button id=\"close-modal-1\" class=\"welcome__clickable_area\"><\/button> <\/p>\n<div class=\"welcome__ad_wrapper\">\n<p> <button id=\"close-modal-3\" class=\"welcome__continue-button\">Continue to CyberScoop<\/button> <\/p>\n<\/p><\/div>\n<\/p><\/div>\n<p>   <\/body> <a href=\"https:\/\/cyberscoop.com\/hhs-cybersecurity-health-care-systems-hospitals\/\">Source<\/a><\/p>\n","protected":false},"excerpt":{"rendered":"<p>How HHS has strengthened cybersecurity of hospitals and health care<\/p>\n","protected":false},"author":11,"featured_media":0,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"_jetpack_memberships_contains_paid_content":false,"footnotes":""},"categories":[280,1436,459],"tags":[284,1439,461],"class_list":["post-6968","post","type-post","status-publish","format-standard","hentry","category-commentary","category-department-of-health-and-human-services-hhs","category-health-care","tag-commentary","tag-department-of-health-and-human-services-hhs","tag-health-care"],"featured_image_urls":{"full":"","thumbnail":"","medium":"","medium_large":"","large":"","1536x1536":"","2048x2048":"","chromenews-featured":"","chromenews-large":"","chromenews-medium":""},"author_info":{"display_name":"Cyber Scoop","author_link":"https:\/\/ddi.mohflo.net\/index.php\/author\/cyberscoop\/"},"category_info":"<a href=\"https:\/\/ddi.mohflo.net\/index.php\/category\/commentary\/\" rel=\"category tag\">Commentary<\/a> <a href=\"https:\/\/ddi.mohflo.net\/index.php\/category\/department-of-health-and-human-services-hhs\/\" rel=\"category tag\">Department of Health and Human Services (HHS)<\/a> <a href=\"https:\/\/ddi.mohflo.net\/index.php\/category\/health-care\/\" rel=\"category tag\">health care<\/a>","tag_info":"health care","comment_count":"0","jetpack_featured_media_url":"","jetpack_sharing_enabled":true,"_links":{"self":[{"href":"https:\/\/ddi.mohflo.net\/index.php\/wp-json\/wp\/v2\/posts\/6968","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/ddi.mohflo.net\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/ddi.mohflo.net\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/ddi.mohflo.net\/index.php\/wp-json\/wp\/v2\/users\/11"}],"replies":[{"embeddable":true,"href":"https:\/\/ddi.mohflo.net\/index.php\/wp-json\/wp\/v2\/comments?post=6968"}],"version-history":[{"count":0,"href":"https:\/\/ddi.mohflo.net\/index.php\/wp-json\/wp\/v2\/posts\/6968\/revisions"}],"wp:attachment":[{"href":"https:\/\/ddi.mohflo.net\/index.php\/wp-json\/wp\/v2\/media?parent=6968"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/ddi.mohflo.net\/index.php\/wp-json\/wp\/v2\/categories?post=6968"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/ddi.mohflo.net\/index.php\/wp-json\/wp\/v2\/tags?post=6968"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}

{"id":6968,"date":"2025-01-17T05:00:00","date_gmt":"2025-01-17T11:00:00","guid":{"rendered":"https:\/\/cyberscoop.com\/?p=83168"},"modified":"2025-01-17T05:00:00","modified_gmt":"2025-01-17T11:00:00","slug":"how-hhs-has-strengthened-cybersecurity-of-hospitals-and-health-care-systems","status":"publish","type":"post","link":"https:\/\/ddi.mohflo.net\/index.php\/2025\/01\/17\/how-hhs-has-strengthened-cybersecurity-of-hospitals-and-health-care-systems\/","title":{"rendered":"How HHS has strengthened cybersecurity of hospitals and health care systems"},"content":{"rendered":"