In recent years, the healthcare sector has faced a surge in cyberattacks, posing meaningful threats to patient safety and system reliability. These breaches have led to prolonged disruptions, redirected patient care, and canceled medical procedures, eroding trust and exposing critical vulnerabilities. The frequency and duration of these incidents amplify their risks and costs, making cybersecurity a top national priority.
The U.S. Department of Health and Human Services (HHS) has been proactive in addressing this escalating crisis. Over the past four years, HHS has implemented a robust strategy to enhance cyber resilience across the healthcare landscape. This multifaceted approach focuses on three key pillars: policy and regulation, resource allocation, and sector-wide coordination.
under the policy umbrella, HHS introduced voluntary cybersecurity performance goals (CPGs) to guide healthcare organizations in adopting high-impact practices. These CPGs aim to bolster defenses, streamline response efforts, and mitigate risks. Additionally,updates to the HIPAA Security Rule have reinforced cybersecurity requirements for covered entities,ensuring the protection of sensitive patient data. The Food and Drug Administration (FDA) also mandated pre-market cybersecurity standards for new medical devices, while the Centers for Medicare and Medicaid Services (CMS) strengthened cybersecurity measures for payers, labs, and clearinghouses.
To support smaller and under-resourced organizations, HHS launched significant funding initiatives. In 2024, $240 million was allocated for hospital preparedness, with a strong emphasis on cybersecurity. ARPA-H contributed over $50 million to develop technologies for patching vulnerabilities. CMS established advance payment systems to maintain hospital solvency during cyber incidents.Moreover,a $1.3 billion legislative proposal was introduced to fund Medicare programs, enabling hospitals to upgrade outdated technology, enhance vulnerability management, and reduce third-party risks.
Coordination efforts have also been a priority. The Administration for Strategic Preparedness and Response (ASPR) has worked to improve interagency collaboration, foster public-private partnerships, and streamline facts-sharing and incident response.HHS is developing a centralized hub for healthcare cybersecurity, offering free training and conducting nationwide risk assessments to identify critical vulnerabilities.
Despite these advancements, the fight against cyber threats is far from over. Cyberattacks continue to jeopardize patient safety, making cybersecurity a cornerstone of national security. The issue transcends political divides, offering a rare possibility for bipartisan collaboration. As healthcare becomes increasingly reliant on interconnected technologies, a sector-wide approach is essential. HHS emphasizes the need to secure every component of the ecosystem, from medical devices to supply chains.
Key lessons for policymakers include investing in rural and under-resourced organizations, leveraging artificial intelligence to enhance security, and maintaining a holistic view of cybersecurity. As AI integration grows, HHS is committed to providing guidance on its secure implementation. The interconnected nature of healthcare demands vigilance across all sectors, ensuring every link in the chain is resilient.
Cybercriminals have grown more sophisticated,targeting sensitive patient data and disrupting operations with alarming precision. HHS has laid a strong foundation to combat these threats, but sustained efforts are crucial to safeguarding the healthcare system and ensuring patient trust.As we look to the future, continued collaboration and innovation will be vital in building a secure and resilient healthcare infrastructure.
How have the cybersecurity Performance Goals (CPGs) contributed to improving cybersecurity across healthcare organizations?
Interview with Dr. Emily Carter, Cybersecurity Expert and Advisor to HHS on Healthcare Sector Resilience
Archyde News Editor: Good afternoon, Dr. Carter. Thank you for joining us today. The healthcare sector has been under increasing pressure due to cyberattacks in recent years. Can you provide an overview of the current state of cybersecurity in healthcare and why it has become such a critical issue?
Dr. Emily Carter: Thank you for having me. The healthcare sector is indeed facing unprecedented challenges when it comes to cybersecurity. Over the past few years, we’ve seen a notable surge in cyberattacks, ranging from ransomware to data breaches. These incidents are not just about stolen data—they directly impact patient safety and the reliability of healthcare systems. Such as, cyberattacks have led to prolonged disruptions in hospital operations, forcing healthcare providers to redirect patients or even cancel critical medical procedures. This not only erodes trust in the system but also exposes vulnerabilities that can have life-threatening consequences.
Archyde News Editor: The U.S. Department of Health and human Services (HHS) has been actively working to address these challenges. Can you elaborate on the strategies HHS has implemented to enhance cybersecurity resilience in the healthcare sector?
Dr. Emily Carter: Absolutely. HHS has taken a proactive and multifaceted approach to tackle this crisis. Over the past four years, the department has focused on three key pillars: policy and regulation, resource allocation, and sector-wide coordination. Under the policy umbrella, HHS introduced voluntary Cybersecurity Performance Goals (CPGs) to guide healthcare organizations in adopting high-impact practices. These CPGs are designed to help organizations prioritize actions that will have the most significant impact on their cybersecurity posture, such as improving incident response plans and securing medical devices.
Additionally,HHS has been working closely with other federal agencies,private sector stakeholders,and international partners to ensure a coordinated response. This includes sharing threat intelligence, providing technical assistance, and fostering collaboration across the healthcare ecosystem. The Biden-Harris Management’s National Cybersecurity Strategy, released in 2023 and updated in 2024, has also been instrumental in driving these efforts forward.
Archyde News Editor: You mentioned the Cybersecurity Performance Goals (CPGs). How effective have these voluntary measures been in improving cybersecurity across healthcare organizations?
Dr. Emily Carter: The CPGs have been a critical step in the right direction. While they are voluntary,they provide a clear framework for healthcare organizations to follow,which is especially important given the varying levels of cybersecurity maturity across the sector. Many organizations have embraced these goals and are making significant strides in strengthening their defenses. Though,challenges remain. smaller healthcare providers, in particular, frequently enough lack the resources and expertise to fully implement these measures. This is where HHS’s resource allocation efforts come into play, providing funding, training, and technical support to help these organizations meet the CPGs.
archyde news Editor: Looking ahead, what do you see as the biggest challenges and opportunities for improving cybersecurity in healthcare?
Dr. Emily Carter: one of the biggest challenges is the evolving nature of cyber threats. Attackers are becoming more sophisticated, and healthcare organizations must continuously adapt to stay ahead. This requires not only investment in technology but also a cultural shift toward prioritizing cybersecurity at all levels of the organization. On the prospect side,I see tremendous potential in leveraging emerging technologies like artificial intelligence and machine learning to detect and respond to threats in real-time.Additionally, the increased collaboration between public and private sectors is a positive development that will help build a more resilient healthcare ecosystem.
Archyde News Editor: what advice woudl you give to healthcare organizations looking to strengthen their cybersecurity defenses?
Dr. Emily Carter: My advice would be to start by implementing the HHS Cybersecurity Performance Goals. These provide a solid foundation for improving your cybersecurity posture. Additionally, invest in training your staff to recognize and respond to potential threats, as human error is frequently enough a significant factor in cyber incidents. don’t go it alone—engage with industry groups, government agencies, and cybersecurity experts to stay informed about the latest threats and best practices. Cybersecurity is a shared responsibility, and collaboration is key to protecting our healthcare systems and, ultimately, our patients.
Archyde News Editor: Thank you, Dr. Carter, for your insights and expertise. It’s clear that cybersecurity in healthcare is a complex but critical issue, and your perspective has been invaluable.
Dr. Emily Carter: Thank you for the opportunity to discuss this important topic. I’m hopeful that with continued effort and collaboration, we can build a more secure and resilient healthcare system for the future.
