2024 is shaping up to be a very active year for regulatory and enforcement developments in the healthcare industry – developments that concern not just hospitals and nursing facilities, but many non-healthcare companies as well, including technology companies, that engage in business practices directly creating compliance risk for the industry.
Among the top new regulatory and enforcement initiatives that either have already entered force or will be forthcoming in 2024 include:
- New healthcare-specific cybersecurity requirements
- Higher penalties for violations of the Health Insurance Portability and Accountability Act (HIPAA)
- New policy initiatives to scrutinize healthcare-related anticompetitive practices
- Enhanced oversight of private equity (PE) firms’ ownership structures
- New regulations addressing the use of artificial intelligence in healthcare
In short, 2024 promises to be an especially busy year for chief compliance officers, chief risk officers, and their counsel across many sectors and subsectors of the healthcare industry.
This post, the second in a three-part series, will cover the increased cybersecurity expectations for the healthcare industry. You can find the first post, covering trends in enforcement for healthcare companies here.
With these regulatory and enforcement developments, including cybersecurity requirements for healthcare companies, the U.S. Department of Health and Human Services (HHS) will not be the only agency enhancing its oversight over HIPAA violations and non-compliant patient health and safety practices, generally. Other federal agencies focusing on the healthcare industry will be the Antitrust Division of the U.S. Department of Justice (DOJ), the U.S. Federal Trade Commission (FTC), and the Cybersecurity and Infrastructure Security Agency (CISA) as it relates to cybersecurity practices in healthcare.
New voluntary healthcare-specific cybersecurity performance goals
On January 25, 2024, HHS published its widely anticipated voluntary healthcare-specific Cybersecurity Performance Goals (CPGs) intended to help healthcare organizations “strengthen cyber preparedness, improve cyber resiliency, and ultimately protect patient health information and safety,” according to HHS.
The CPGs outline ten “essential” and “enhanced” cybersecurity goals for healthcare organizations to adopt. The essential goals address common vulnerabilities and establish safeguards to better protect against cyber-attacks, improve responses when events occur, and minimize residual risk, HHS said. Such goals include mitigating known vulnerabilities; deploying email security and encryption; implementing multi-factor authentication; handling credentials; cybersecurity training; incident response; and more.
The enhanced cybersecurity goals are designed to encourage healthcare organizations to adopt advanced cybersecurity practices. Such goals include, for example, identifying a healthcare organization’s asset inventory; responding to third-party threats and vulnerabilities; engaging in penetration testing; specific technical protocols for detecting and responding to cyber threats; and structuring cybersecurity incident response plans for relevant threat scenarios.
Risk and compliance professionals in the healthcare industry seeking additional guidance should review the healthcare-specific CPGs in combination with the cybersecurity toolkit released by the HHS and CISA in October 2023. The toolkit consolidates several additional resources, including CISA’s Cyber Hygiene Services, HHS’s Health Industry Cybersecurity Practices, and the Healthcare and Public Health Sector Cybersecurity Framework Implementation Guide.
New cybersecurity requirements and higher penalties
Publication of the healthcare-specific CPGs followed a concept paper that HHS released in December 2023, in which it highlighted a forward-looking strategy for tackling cyber risks in the healthcare industry. In its concept paper, HHS announced its intent to not only create an incentives program to encourage hospitals “to invest in advanced cybersecurity practices,” but also to “enforce new cybersecurity requirements through the imposition of financial consequences for hospitals.”
As explained by HHS, “Voluntary goals alone will not drive the cyber-related behavioral change needed across the healthcare sector.” HHS said it further aspires to incorporate the CPGs into existing regulations and programs to “inform the creation of new enforceable cybersecurity standards.”
As part of the U.S. government’s broader effort to enhance cybersecurity practices in the healthcare industry, the Centers for Medicare and Medicaid Services (CMS) is considering proposed new cybersecurity requirements for hospitals through Medicare and Medicaid. Additionally, the Office for Civil Rights (OCR) has indicated its intent to revise the HIPAA Security Rule in the Spring of 2024 to include new cybersecurity requirements as well.
HHS further warned the industry in its concept paper that it will work with Congress to “increase civil monetary penalties for HIPAA violations and increase resources for HHS to investigate potential HIPAA violations, conduct proactive audits, and scale outreach and technical assistance for low-resourced organizations to improve HIPAA compliance.”
To learn more about how NAVEX can help keep your healthcare organization compliant with current and upcoming regulations, check out our solutions by industry.