HHS Ambassador Ty Greenhalgh On What To Expect From Federal Cybersecurity Guidance In Healthcare

On Jan. 24 the HHS released voluntary Healthcare and Public Health (HPH) cybersecurity performance goals (CPGs) to provide guidance on protection against cyberattacks. They cover safeguards such as email security, multifactor authentication and basic cybersecurity training.

The goals come after the healthcare industry has faced several big breaches, including a ransomware attack at health system Ardent Health Services in November.

A collaboration between the Healthcare and Public Health Sector Coordinating Council — a public-private partnership — and the federal government, the HHS 405(d) Task Group offers resources and tools to prepare healthcare organizations to face cyber threats. In 2023 the task group released the “Health Industry Cybersecurity Practices: Managing Threats and Protecting Patients,” a document HHS used to develop the CPGs.

Healthcare Dive caught up with Ty Greenhalgh, an ambassador with the HHS task group and an industry principal for healthcare at cybersecurity firm Medigate by Claroty, to find out what healthcare organizations need to know about the HHS cybersecurity guidance.

Editor’s note: This interview has been edited for clarity and brevity.

HEALTHCARE DIVE: Why is the healthcare industry experiencing a significant rise in cyberattacks? Is healthcare more vulnerable than other industries?

TY GREENHALGH: I think so. The expression I use is “fish where the fish are.” On average, the healthcare industry spends less on cybersecurity than on the electronic record itself, because it’s got so much information in it and is the most valuable record in all of the industries. And then patient lives are an effective motivator to make people pay. When you take away the services or you shut down a hospital, people’s lives are in the balance. So it’s easier, it’s more profitable and they’re making billions doing it. Unless we do something, they’re not going away.

What is the HHS 405(d) Task Group, and as an ambassador for this group, how are you working to establish guidance on cybersecurity performance goals (CPGs)?

I’ve been a part of the task group since 2017. The group itself was created out of a congressional mandate from the Cybersecurity Information Sharing Act of 2015. 

And I’m just one of hundreds that have contributed to the creation of HICP, which is Healthcare Industry Cybersecurity Practices. It’s a document of the best practices for protecting healthcare. What’s happened is, the government said, we keep getting our lunch money stolen no matter what we’re doing.

The government’s put out these voluntary best practices and even put out incentives to say, “If you’ll do these practices, and you get breached, we will be very lenient on you.”

The industry hasn’t responded, and so they’re putting their foot on the scale here a little bit and saying, we’re going to make these minimum requirements or minimal standards, and move them into requirements.

You mentioned that the healthcare industry is “getting its lunch money stolen.” What did you mean by that?

No matter what we’re doing, it seems healthcare just keeps getting hit over and over. There’s ransomware here and ransomware there. That creates a huge impact financially for the healthcare organization, whether it’s in fines and fees, or ransoms, or just not being able to keep your doors open.

They are just coming in and taking profitability out of the healthcare industry, which is already suffering. And many hospitals are closing because of it. So healthcare needs to keep its money to keep healthcare functioning, and they just keep coming in and taking it.

You mentioned that the requirements are starting off voluntarily. At what point do they become mandatory?

That’s the big question. One way would be as they suggested in those four pillars in the healthcare concept paper that Deputy Secretary Andrea Palm put out on Dec. 6. It talked about redoing [the Health Insurance Portability and Accountability Act ](HIPAA) and opening up HIPAA to revise the Security Rule to include these HPH CPGs.

So then the HHS would have the ability to say, if there’s a breach, and you haven’t been doing these HPH CPGs, they’re going to fine you. And maybe they’ll start making the penalties more stiff until they get people to just do it. They could give everybody a couple years to get up to speed.

The CMS controls the Medicare and Medicaid reimbursement, and the conditions of participation are determined based on passing audits. And so they may create audits through the Joint Commission, and other regulatory or other agencies to go validate that these HPH CPGs are being followed, and then determine whether there are penalties. Maybe a hospital is stopped from participating at all. I think that’s risky because it can really impact a lot of hospitals negatively when you’re really trying to help them.

So they’ve got different mechanisms. We don’t really know exactly how they’re going to do it yet.

What are the next steps as far as the cybersecurity goals and what HIPAA standards the HHS could implement going forward?

I think they’re going to quickly open up the HIPAA Security Rule and revise it to include these HPH CPGs and talk more about vulnerability management as a practice and not just a compliance checklist. So in doing that, HHS will then be able to go through the rulemaking process and ferret out what the language really looks like from a regulation perspective. Hospitals can start figuring out how they’re going to embrace these HPH CPGs.

The first move is to reinforce that these will become requirements. And what the regulations look like around that as they go to Congress and try to get money or determine whether they’re going to use their Medicare reimbursement to incentivize either through reduction or increase. So I think it’s open up HIPAA, include HPH CPGs, start figuring out what that regulation is going to look like, what the requirements are actually going to be, as they’re simultaneously trying to find funding to make this more palatable.