Cheat Sheet - Cybersecurity Incentives and Penalties Under Consideration by Policymakers

Download PDF

Cybersecurity Incentives and Penalties under Consideration by HHS & Congress

Cheat Sheet – May 2024

I. Preparing for Cybersecurity Mandates

For nearly the past two years federal authorities have expressed growing distress related to the increased number of cybersecurity attacks on healthcare providers – particularly hospitals. White House officials have expressed these concerns numerous times publicly over the past year. The U.S. Department of Health & Human Services (HHS) has published several cybersecurity related documents pointing to their desire to adopt mandates. Their plan is neatly summarized in a December 6 th press release and short concept paper followed by the Department’s January 24 th release of their Cybersecurity Performance Goals (CPGs) which represent best practices. They are broken down into ten “essential practices” and another ten “enhanced practices.” The White House has also released the second version of their National Cybersecurity Strategy Implementation Plan in May and it contains a section (Initiative 1.1.4) promoting the adoption of cybersecurity best practices across the healthcare and public health sector.

It is also worth noting that HHS’ FY 2024-2028 Hospital Preparedness Program (HPP) Notice of Funding Opportunity released on May 17 th contains newly included cyber components. HPP is the primary source of federal funding for healthcare system preparedness and response and, in collaboration with state and local health departments, prepares health care delivery systems to save lives through the development of health care coalitions (HCCs)%20One-Pager.pdf) . HCC’s – of which more than 90 percent of hospitals belong – will be required to engage in certain cyber activities in order to tap into these funds. More details about this funding opportunity can be found here .

Lawmakers are also taking notice and at least one bill targeting cybersecurity mandates for healthcare providers has been introduced. This follows on the heels of Congress passing – and the President signing into law – the Cyber Incident Reporting for Critical Infrastructure Act of 2022 (CIRCIA) which requires mandatory reporting by a variety of different entities across several sectors, to the Cybersecurity and Infrastructure Security Agency (CISA) when they experience significant cyber incidents or when they pay a ransom.

In summary, federal authorities are considering a variety of actions and we fully expect there to be an announcement before the end of 2024 that outlines cybersecurity mandates specific to hospitals. Below are the policy pathways under consideration to help you prepare.

II. Overview of Cybersecurity Policy Mandates Under Consideration

See table in the attached PDF .

III. Details on Policy Levers

HIPAA Security Rule

HHS is planning to revise their HIPAA Security Rule and the date targeted for the release of the proposed rule is September 2024. They have said they plan to include cybersecurity practices within it. No Congressional approval is needed to revise the HIPAA Security Rule. The administration may release the rule sooner as this is an election year.

In response to our query regarding the mandatory implementation of the 20 HHS Cybersecurity Performance Goals (HHS-CPGs) and our members’ ability to comply without federal financial assistance , CHIME’s survey results revealed that 40 percent are unsure (i.e., selected “Maybe”), 33 percent said that they would be able to, and 27 percent said candidly and firmly, “No.” These diverse viewpoints underscore the complexity of achieving compliance with the CPGs without federal financial assistance.

Promoting Interoperability

HHS’s Budget in Brief contains a request to Congress for FY25 that would tap the Medicare Trust Fund for payment of incentives related to cybersecurity totaling $1.3 billion. Details on the budget proposal are below. It remains unclear whether CMS plans to create an entirely new incentive and penalty program or whether they plan to fold this into the existing Medicare Promoting Interoperability (PI) program. Whereas the Budget in Brief could be read to suggest they are considering an entirely new program, CMS states in their Inpatient Prospective Payment System (IPPS) proposed rule for FY25 , “We intend to consider how the Medicare Promoting Interoperability Program can promote cybersecurity best practices for eligible hospitals and CAHs in the future.”

It is also worth noting that CMS already requires the use of the SAFER guides as a measure within the Promoting Interoperability program. These guides are focused on patient safety. There are numerous references to the HIPAA Security Rule (noting, however, that compliance with SAFER Guides does not necessarily constitute HIPAA compliance). The nexus here is patient safety. One guide states , “While this guide focuses on patient safety, many of its recommendations overlap with standards and implementation specifications of the HIPAA Security Rule, which focuses on ensuring the confidentiality, integrity, and availability of electronic protected health information.”

See table in the attached PDF .

Defining “High-Need” Hospitals

In HHS’ Budget in Brief they include a request for funding incentives for “ high-need ” hospitals. They do not detail who constitutes these hospitals however, by filtering “rural hospital” data , by method by which Medicare pays the hospital – including Critical Access Hospitals (CAHs), Rural Emergency Hospitals (REH), Medicare Dependent Hospitals (MDH), Sole Community Hospital (SCH), and Rural Referral Center (RRC), there are a total of 2,081 hospitals that

fall under one of these categories. This data also includes hospitals that have closed since 2005 that were located in an area designated as rural; filtering out closed hospitals, the total is 1,977. It remains unclear, though, if this is how HHS arrived at the 2,000 figure.

Health Care Cybersecurity Improvement Act of 2024

On March 22 nd Senator Mark Warner (D-VA), Chair of the Senate Intelligence Committee, member of the Senate Finance Committee and co-chair of the Senate Cybersecurity Caucus, introduced a bill, the Health Care Cybersecurity Improvement Act of 2024 . His press release can be found here. It would predicate provider access to Medicare accelerated and advance payments during a cyberattack on their adoption of minimum cyber standards. The law would take effect two years from enactment.