HHS Cyber Incentive and Mandate Plans: What Providers Need to Know

The Biden Administration’s proposed FY 2025 budget for the Department of Health and Human Services contains a blueprint for the federal government and regulator’s plans to move the needle of healthcare cybersecurity with incentives, mandates, and penalties.

Issued in March, the requested $130.7 billion in discretionary spending and $1.7 trillion for mandatory expenditures for HHS proposes funding for existing programs outlined in current law and include cyber-specific allocations.

If passed, HHS would receive $141 million for cybersecurity initiatives through its Office of the Chief Information Officer and another $12 million for the Administration of Strategic Preparedness and Response (ASPR). HHS also announced in May that it intends to dedicate $500 million in funding specific to improving the sector’s cybersecurity.

The hope is that through the proposed funding and by continuing to work with Congress, HHS can begin to move healthcare “from a voluntary system to one that requires adoption of those practices,” according to HHS Deputy Secretary Andrea Palm.

Industry leaders have long discussed a future where baseline standards could be mandated. But if the budget passes as written, healthcare delivery organizations have a very specific timeline for just when these mandated cybersecurity measures would go into effect.

Here’s what providers need to know:

  • HHS intends to issue a Medicare incentive program to shift hospitals into adopting cybersecurity defenses
    • Under this plan, HHS would invest $800 million to approximately 2,000 high-need hospitals in FY 2027 and 2028
  • By 2029, hospitals could face penalties of up to 100% of the annual market basket increase for not following the measures outlined in the 10 essential Cyber Performance Goals
  • For Critical Access Hospitals, failure to adopt Essential CPGs would result in financial penalties capped at up to 1% base payment
  • And by 2031, failure to adopt essential and enhanced CPGs could lead to market basket + base payment penalties for Acute Care Hospitals

The good news is that HHS previously issued the 10 essential and 10 enhanced cyber performance goals that detail the precise measures needed to achieve these long-term goals. The earlier release and update of the Health Industry Cybersecurity Practices, or HICP, provide network defenders with step-by-step measures on, not only how to implement these baseline standards, but how to prioritize adoption.

Under the current threat landscape and with the massive fallout from the cyberattacks on Change Healthcare and Ascension (and with their staggering patient safety concerns and impacts), healthcare entities must assess how their organization adapting and reviewing its current cybersecurity adoption and governance policies for its enterprise and clinical environments, then identify gaps and take action.

It’s a business, patient safety, and soon to be, regulatory imperative.