2024 was a record year for cyberattacks in the healthcare sector. According to the Breach Portal maintained by the U.S. Department of Health and Human Services (“HHS”) Office of Civil Rights (“OCR”), to date this year, there have been more than 530 breaches of protected health information (“PHI”) affecting 500 or more individuals. 2024 also the saw the largest known breach of PHI at a HIPAA-regulated entity: Russia-linked cybercrime organization, BlackCat/ALPHV executed a ransomware attack on Change Healthcare, Inc., the payment processor owned by UnitedHealth, which affected the records of more than 100 million individuals.

Cyberattacks on healthcare organizations, in addition to causing disruptions to the operational continuity of the affected organizations and financial losses, can cause significant adverse impact on the patient care continuum and erode the public’s trust in the healthcare system. In view of the patient and public safety risks that can be posed by cyberattacks in the healthcare sector, the National Security Council deemed the healthcare and public health sector to be one of the top three (3) sectors prioritized for additional cybersecurity attention, according to an HHS report. Several key regulatory developments in 2024 reflect the increased attention and expectation for cybersecurity programs for the healthcare sector.

  • Cybersecurity Performance Goals. On January 24, 2024, HHS published a set of voluntary healthcare and public health sector-specific Cybersecurity Performance Goals (“CPGs”) to help healthcare organizations “prioritize implementation of high-impact cybersecurity practices” that are “designed to better protect the healthcare sector from cyberattacks.” The CPGs are divided into essential goals for ensuring a minimum floor of safeguards and enhanced goals for maturing cybersecurity capabilities, with the essential goals requiring mitigation of known vulnerabilities and implementation of email security, multifactor authentication, basic cybersecurity training, strong encryption, basic incident planning, use of unique credentials, use of separate accounts for privileged accounts, processes for revoking credentials of departing workforce members, and vendor/supplier cybersecurity requirements.
  • Healthcare Cybersecurity Act. On July 11, 2024, a bipartisan group of senators introduced the Healthcare Cybersecurity Act of 2024 (S.4697), which would require the Cybersecurity and Infrastructure Security Agency (“CISA”), in coordination with HHS, to enhance the cybersecurity of healthcare and the public health Sector by providing information and training on cybersecurity threats to healthcare organizations. Specifically, the Healthcare Cybersecurity Act contemplates the following:
    • Appointment of Liaison. CISA and HHS will appoint an individual with appropriate cybersecurity expertise to serve as the liaison of CISA to HHS. The duties of the liaison include (1) providing healthcare organizations training on improving cybersecurity, (2) supporting development and implementation of and updates to the healthcare and public health sector specific plan for cybersecurity (the “Healthcare Cybersecurity Plan”), (3) facilitating sharing of cyber threat information and appropriate defensive measures for raising awareness and (4) coordinating between CISA and HHS during cybersecurity incidents within the healthcare and public health sector.
    • Training for Healthcare Organizations. CISA, in coordination with the liaison and private sector healthcare experts, will provide training to healthcare organizations on cybersecurity risks in the healthcare sector and mitigation strategies. 
    • Healthcare and Public Health Sector Specific Cybersecurity Plan. Within one (1) year of enactment of the Healthcare Cybersecurity Act, CISA, in coordination with HHS, will update the Healthcare Cybersecurity Plan  to discuss (1) the specific impact of identified cybersecurity risks on healthcare organizations, (2) challenges faced by healthcare organizations in (a) securing the information systems, medical equipment and PHI, (b) implementing cybersecurity protocols and (c) responding to cybersecurity attacks, (3) best practices for the deployment of cybersecurity advisors and state coordinators to healthcare organizations, (4) assessment of cybersecurity workforce shortages in the Healthcare and Public Health Sector and (5) effective strategy for CISA and HHS to communicate cybersecurity recommendations to healthcare organizations.
    • Identification of High-Risk Healthcare Organizations. Within ninety (90) days of enactment of the Healthcare Cybersecurity Act, CISA will establish objective criteria for classifying healthcare organizations as high risk. HHS will develop and update biannually a list of high-risk organizations and notify the affected organizations and Congress following each update. HHS will use this high-risk list to prioritize resource allocation to high-risk organizations.
    • Reporting. Within one-hundred twenty (120) days of enactment of the Healthcare Cybersecurity Act, CISA will submit to Congress a report on the support that CISA has provided to healthcare organizations to prepare for cyberattacks.
  • HISAA. On September 25, 2024, a group of democratic senators introduced the Health Infrastructure Security and Accountability Act of 2024 (S.5218) (“HISAA”) to amend titles XI and XVIII of the Social Security Act for strengthening the security standards for health information. Specifically, HISAA contemplates:
    •  Minimum Security Requirements. Effective in two (2) years from the date of enactment of HISAA, Section 1173(d) of the Social Security Act will be amended such that HHS will adopt (1) minimum security requirements for covered entities and business associates (as defined in 45 CFR 160.103 for HIPAA) and (2) enhanced security requirements for covered entities and business associates that are either of systemic importance, as determined by HHS, or important to national security, as determined by HHS in coordination with CISA. HHS will update the minimum and enhanced security requirements at least every two (2) years.
    • Risk Management and Reporting Requirements. Effective in three (3) years from the date of enactment of HISAA, each covered entity and business associate will, at least annually, conduct a security risk analysis and stress test, document a recovery plan, certify, in a written statement attested by CEO and CISO, compliance with the minimum or enhanced (as applicable) security standards and publish the status of compliance on a public website. HHS has the discretion to grant a waiver for the foregoing obligation to a covered entity or business associate based on a cost-benefit analysis. HHS will provide at least two (2) different stress test methodologies for use by covered entities and business associates.
    • Audits. Effective one-hundred eighty (180) days from the date of enactment of HISAA, each covered entity and business associate will use an independent auditor to conduct an annual audit to determine compliance with the minimum security requirements or if the minimum security requirements are not yet in effect, HHS CPGs. Effective four (4) years from the date of enactment of HISAA, HHS will conduct an annual audit of the data security practices of at least twenty (20) covered entities or business associates and provide reports of such audits to Congress biennially.
    • Civil and Criminal Liabilities for Non-Compliance with Documentation and Audit Requirements. Any covered entity or business associate that fails to timely provide the required documentation, comply with audit or the responsibilities under 45 CFR 160.310 will be subject to a civil money penalty of up to $5,000 per day for each failure. Any individual who knowingly submits false information or causes willful delay in submitting information will be guilty of a felony and subject to $1,000,000 in fines or ten (10) years’ imprisonment upon conviction.
    • Increased Civil and Criminal Liabilities for Non-Compliance with Security Standards for Health Information. For failure to comply with the security requirements set forth in Section 1173(d) of the Social Security Act for health information, healthcare organizations will no longer have the protection of the statutory caps. Additionally, the following minimum civil liabilities will apply: (1) $500 for violation without knowledge; (2) $5,000 for violation due to reasonable cause and not to willful neglect; (3) $50,000 for violation due to willful neglect that is not corrected; and (4) $250,000 for violation due to willful neglect that is not corrected. In determining the penalty, HHS may consider the size of the covered entity or business associate, compliance history and good faith efforts to comply with the security standards.
    • User Fees. HHS is authorized to charge each covered entity and business associate a fee equal to the pro rata share of the entity or associate of the aggregate amount of fees that HHS collects in a fiscal year. The pro-rata share is determined based on the ratio of, for the preceding fiscal year, the revenue of the entity or associate to national health expenditures.
    • Medicare Assistance to Address Cybersecurity Incidents. For critical access hospitals, there is an allocation of (1) $800,000,000 in funding to adopt essential cybersecurity practices and (2) $500,000,000 in funding to adopt enhanced cybersecurity practices. Critical access hospitals include hospitals that have a disproportionate percentage of Medicare beneficiaries or are located in rural areas.
    • Medicare Accelerated Advance Payments in Response to Cybersecurity Incidents. Upon a cybersecurity incident causing significant disruption to Medicare claims processing and resulting in cash flow problems for a critical access hospital or certain other eligible healthcare organizations, HHS is authorized to make accelerated payments to such affected organization.
  • NY State Department of Health. On October 2, 2024, the New York State Department of Health adopted new hospital cybersecurity regulations that entail adoption of a cybersecurity program having specified capabilities and incident reporting requirements.

Regulatory developments for cybersecurity programs in the healthcare sector will continue to unfold in 2025. In the meantime, healthcare organizations should continue to enhance their cybersecurity defenses and adopt industry practices recommended by the CPGs, including multifactor authentication, which is increasingly becoming expected by regulators.

We will continue to watch for further developments. For more information on the full landscape of laws and regulations governing cybersecurity in the healthcare and medical device sectors, see PLI’s new edition of its cyber law treatise, Cybersecurity: A Practical Guide to the Law of Cyber Risk.