3rd Party Risk Management , Business Continuity Management / Disaster Recovery , Critical Infrastructure Security
A Look Inside Biden's Spending Proposals for HHS Agencies
White House's Fiscal 2023 Budget Seeks Increases for Assorted HHS Security EffortsThe Biden administration is seeking fiscal 2023 budget increases for the Department of Health and Human Services, including a boost in funding for various cybersecurity initiatives including medical device security and regulatory and enforcement efforts related to secure health data exchange and related issues.
See Also: Using the Netskope HIPAA Mapping Guide
President Biden's fiscal 2023 budget requests, announced on Monday, include a total $127.3 billion in discretionary budget authority and $1.7 trillion in mandatory funding for HHS. That compares with $114 billion in discretionary budget authority and $1.5 trillion in mandatory funding for HHS in fiscal 2022.
The president's budget is little more than a wish list because Congress must enact appropriations, and the final funding levels always differ from the administration's requests.
Among other security-related initiatives across various HHS offices and agencies, the budget in brief document says that HHS's budget includes $161 million for the HHS Cybersecurity Program to strengthen HHS's cybersecurity posture across the department, including $50 million to implement zero trust architecture and security logging.
FDA Funding
For fiscal 2023, the Food and Drug Administration is requesting a total budget of $8.4 billion, a nearly 34% - or $2.1 billion - increase over the agency's fiscal 2022 appropriated funding level for investments in critical public health modernization, core food safety and medical product safety programs and other vital public health infrastructure, HHS's budget document says.
This includes a requested $5 million increase toward improving the safety and security of medical devices.
"Developing a more comprehensive cybersecurity program for medical devices will help to identify and mitigate vulnerabilities that could compromise medical systems or disrupt device manufacturing or consumer use, placing national security at risk," the document says.
Dedicated base funding for a cybersecurity program will allow the FDA to hire additional staff to recruit and develop greater cyber expertise within the devices program, as well as administer grants and contracts to develop infrastructure geared toward addressing emerging cybersecurity challenges, the document says.
OCR's Budget Request
The Biden administration is requesting a $23 budget increase for the Office for Civil Rights, which oversees HIPAA- and health-related civil rights enforcement. That request includes a fiscal 2023 $60 million discretionary budget, compared with $40 million in fiscal 2022.
In addition, OCR in fiscal 2023 will have $21 million collected from previous HIPAA civil monetary penalties and settlements, which will be used to fund its HIPAA enforcement activities in the coming fiscal year. That's up slightly from $19 million in funding from civil monetary penalty and settlement collections in fiscal 2022.
OCR is looking to add 91 full-time-equivalent workers for a total of 281, versus 190, full-time-equivalent workers in fiscal 2022, the budget document says.
ONC Funding
For the Office of the National Coordinator for Health IT, HHS is seeking a fiscal 2023 budget of $104 million at the program level, an increase of $40 million above fiscal 2022 enacted.
The proposed budget includes $52 million for ONC’s standards, certification and interoperability work - an increase of $20 million above fiscal 2022 enacted. ONC's certification work will focus on implementing rule-making and investing in standards updates to increase interoperability and improve equity through health IT activities.
The budget also includes a legislative proposal to provide ONC with the authority to create an advisory process to issue opinions on information blocking practices.
HHS's information blocking rule, which was called for under the 21st Century Cures Act and went into effect for compliance in April 2021, generally prohibits healthcare providers, health IT developers and health information exchanges from knowingly interfering with the access, exchange or use of electronic health information.
Under the rule, individuals or entities can request advisory opinions from ONC concerning whether the requestor's practice or proposed practice is considered "information blocking."
HHS's watchdog agency, the Office of Inspector General, is responsible for enforcing the information blocking regulations.
The budget proposals also promote and support ONC's Trusted Exchange Framework and Common Agreement. TEFCA is a set of foundational principles that established an advanced health IT infrastructure enabling different health information exchanges and networks to securely exchange patients clinical information.
The proposed fiscal 2023 budget provides $39 million for ONC, an increase of $18 million above fiscal 2022 enacted, to advance the implementation of the Common Agreement through the three-year Fast Healthcare Interoperability Resources road map published at the beginning of 2022, the budget brief document says.
OIG Budget Request
For HHS OIG, the president is requesting $454 million, a $37 million increase above FY 2022 enacted.
With a $26.3 million increase in FY 2023, OIG will invest $20 million in the cybersecurity improvements and information blocking rule enforcement activities requested in FY 2022.
"This OIG funding will be dedicated to cybersecurity and digital technology expansion, which will provide vital resources to hire specialized personnel from a competitive cybersecurity job market, increase OIG's cybersecurity efforts, support needed expansions in digital technology, modernize OIG's IT infrastructure, and further promote an artificial intelligence-ready workforce," the budget brief says.
"HHS and the healthcare industry face significant cybersecurity risks that OIG oversight and enforcement work will help mitigate," it says.
The boost in OIG funding also will pay for investigative and enforcement activities related to compliance with HHS's information blocking rule, according to the document.
"Information blocking interferes with, prevents, or materially discourages access, exchange, or use of electronic health information and can threaten patient safety and undermine efforts by providers, payers, and others to make the U.S. healthcare system more efficient and effective."
Biggest Bang for Buck?
Privacy attorney Adam Greene of the law firm Davis Wright Tremaine says certain HHS funding requests have the potential to help boost overall healthcare sector data security and privacy.
An example is increased budget and staffing for ONC to issue advisory opinions on information blocking, he says, adding, "A lot of additional guidance is needed for information blocking actors to understand how to balance information sharing, privacy and reasonableness."
Greene also says increased staffing for OCR could allow for more guidance to assist smaller entities with cybersecurity best practices and to address privacy issues, including how HIPAA applies to social media and text messaging.