top of page

Summary of the Department of Health and Human Services 

Healthcare Sector Cybersecurity Strategy

Screenshot (306)dsvdscAXZ.png

Cyber incidents in all industries including healthcare are on the rise. In response, the United States government has released the National Cyber Security Strategy Guidance - Cybersecurity Performance Goals in July of 2023:

The Department of Health and Human Services (HHS) has issued:

  • Voluntary healthcare cybersecurity guidance 

  • Cybersecurity training support for small and mid-sized healthcare organizations 

  • Quality System Considerations for medical devices 

  • Telehealth guidance for patients and providers 

These Cybersecurity Performance Goals will: 

  • Help healthcare institutions prioritize critical implementation

  • Include both essential (immediate) and enhanced (longer term) goals  

The HHS will obtain new authority for: 

  • Updating HIPAA to include new cybersecurity requirements imposing new Medicare and Medicaid requirements 

  • Conducting investigations and pro-active audits and increase monetary penalties for violations 


The HHS will obtain new funding for: 

  • Technical assistance for low-resourced organizations to improve compliance 

  • Defraying upfront costs associated with implementing “essential” goals 

  • Offering Incentive programs to encourage hospitals to implement “enhanced” goals

How Security Counsel can help: 

  • We can help you understand and implement the recommendations surrounding these Cybersecurity Performance Goals 

  • We help you achieve the essential goals quickly and systematically work toward the enhanced goals

  • We have a specialized focus on healthcare organization cybersecurity operations  

  • We can help you understand the available Federal funding to help offset some of the costs of this effort

  • One of our board members, a CISO at a large healthcare network, was an integral part of the team that drafted the guidance



through phishing, ransomware and other human-centered means



hospital infrastructure

and security operations deficiencies



HIPAA, HICP 405D, and

other patient-centric requrements

Cyberattacks involved over 40M individual patient records in the first half of 2023

Attacks are up 104% from the second half of 2022 to the

first half of 2023

57% of healthcare providers reported negative patient outcomes due to cyberattacks


The full cybersecurity team at the Department of Health and Human Services consists of these organizations

HC3 - ready.png
bottom of page