In response to the recent ransomware attack on Change Healthcare, the Department of Health and Human Services (HHS) is taking significant steps to bolster healthcare cybersecurity measures. The attack, deemed the "most serious of its kind" in the healthcare sector, has prompted HHS to streamline its resources and programs to better address cybersecurity risks.

HHS is spearheading this effort through the Administration for Strategic Preparedness and Response (ASPR), designating it as the central hub for cybersecurity initiatives within the department. Brian Mazanec, Deputy Director for ASPR’s Office of Preparedness, emphasized ASPR's role as the "one-stop shop" for managing information sharing across HHS, industry partners, and interagency collaborations.

While ASPR takes the lead in coordinating cybersecurity efforts, other HHS organizations also contribute significantly to managing various healthcare cybersecurity risks. The Health Sector Cybersecurity Coordination Center (HC3) under the HHS Office of the Chief Information Officer plays a pivotal role, along with the Food and Drug Administration (FDA), which regulates the cybersecurity of medical devices.

Additionally, the Centers for Medicare and Medicaid Services (CMS) have been instrumental in providing assistance to the healthcare sector post-incident. Meanwhile, HHS' Office of Civil Rights (OCR) is actively investigating data breaches involving protected health information, including the Change Healthcare hack.

Acknowledging the complexity of engaging with the federal government on cybersecurity matters, Mazanec highlighted the need to establish a unified entry point through ASPR to access resources across HHS. Lawmakers, including Senate Homeland Security and Governmental Affairs Committee Chairman Gary Peters, have raised concerns about the federal response to the incident and called for preventive measures and public awareness campaigns.

The urgency to address cybersecurity vulnerabilities in the healthcare sector is underscored by its status as the prime target for ransomware attacks, as reported by the Internet Crime Complaint Center. In line with the Biden administration's emphasis on regulating critical infrastructure cybersecurity, the Cybersecurity and Infrastructure Security Agency (CISA) recently proposed cyber incident reporting rules for all 16 critical infrastructure sectors.

Looking ahead, HHS plans to implement a new cybersecurity strategy outlined in a December white paper by ASPR. The strategy entails incentivizing cybersecurity best practices, setting voluntary goals for the healthcare sector, and proposing new cybersecurity requirements for hospitals through CMS. Central to this strategy is the designation of ASPR as the "one-stop shop" for healthcare cybersecurity, aimed at enhancing coordination, response capabilities, and partnership with industry stakeholders.

The establishment of this centralized approach reflects HHS' commitment to safeguarding the healthcare sector against evolving cyber threats, ensuring resilience, and promoting collaboration between government and industry stakeholders to mitigate risks effectively.