As a starting point to address the high levels of cybersecurity crime against the healthcare industry, the Foundation for Defense of Democracies has issued strong recommendations for the executive branch, Congress, and the healthcare ecosystem. While the new report emphasized increasing third-party managed IT services – even part-time by resource-poor vendor organizations – and increasing employee cyber hygiene training, most of FDD’s recommendations were imposed on the government.
“The health and well-being of the American people depend on it,” the authors said in the new report.
WHY IT MATTERS
FDD provided an overview of government- and industry-led efforts to prevent healthcare cyberattacks in the Healthcare Cybersecurity Needs a Check Up report. The outcomes of ransomware attacks, which have proven to be the most disruptive to services, freezing provider systems and stealing protected health information, are not always clear.
Studies of the harm to patients from these incidents “likely underestimate the human toll,” said the authors, Michael Sugden and Annie Fixler.
In the reportare focused on moving the critical sector toward a more attack-resistant future, highlighting the unique challenges faced by rural hospitals, which serve approximately 14% of the U.S. population.
“These hospitals tend to operate on extremely tight budgets, with 50% of hospitals nationwide operating at a loss,” they said. And as a result, they are less prepared to prevent or respond to ransomware attacks.
The executive must take action by updating its strategy for the sector.
“Provide roadmaps to secure key lifesaving services, incorporate stakeholder feedback on cybersecurity goals, and address the rural cybersecurity workforce gap,” Sugden and Fixler said.
“The solution to today’s gaps is not reactive regulation that pursues cybersecurity through compliance. Instead, the sector needs a proactive, collaborative approach,” she added.
Their recommendations for the government include:
- Develop new, sector-specific, long-term cybersecurity goals.
- Work with industry to identify, prioritize and secure life-saving services.
- Update cybersecurity performance goals iteratively.
- Accelerate the CPG Compliance Incentive Program timeline.
- Create a development strategy for rural hospital cybersecurity workforces
- Reassess the list of systemically important entities
The recommendation for the government to reassess the SIE list is partly a response to the chain reaction cyber attack that Change Healthcare faced this year.
The authors also said the industry must “invest more in cybersecurity, including by properly recruiting security teams, implementing organization-wide cyber hygiene training, and developing contingency plans for destructive cyber attacks.”
While healthcare providers must “ensure they are mobilizing funding” to prevent and respond to cyber incidents, many under-resourced hospitals lack the resources. To this end, the FDD report recommends that providers with scarce resources hire a cybersecurity resource that contracts part-time cybersecurity, possibly utilizing managed IT service providers.
Their recommendations for the industry are:
- Spend more on cybersecurity.
- Provide cyber hygiene training to all employees.
- Develop regional emergency plans for healthcare providers.
Sugden and Fixler emphasized the importance of cyber hygiene training for employees, as phishing remains the most common exploit and has gained significant support through the extensive use of major language models, noting that there are “free or relatively inexpensive” programs exist that “could prevent attacks that would otherwise cost healthcare providers millions of dollars or endanger the lives or privacy of patients.”
They urged Congress to fund relevant executive agencies and programs to better support the sector, noting that the U.S. Health & Human Services requested additional resources to strengthen its workforce and capabilities to respond to and mitigate incidents to expand.
In March, the Administration for Strategic Preparedness and Response, HHS’s head of critical infrastructure protection, requested an additional $5 million for fiscal year 2025 to address workforce needs.
“It is critical that Congress approve this request,” the FDD researchers said.
The recommendations for Congress are:
- Ensure that a sector risk management agency’s resources and organizational structure are optimally efficient.
- Increase funding for HHS’ SRMA capabilities.
- Fund HHS’s CPG financing and incentive program.
- Direct and resource HHS to establish a pilot program for rural virtual Chief Information Security Officers.
THE BIG TREND
There is a direct link between cyber attacks in hospitals and patient mortality. A 2022 study from the Ponemon Institute and Proofpoint found that more than 20% of healthcare organizations hit by ransomware or another type of cyberattack subsequently experienced an increase in mortality.
“Healthcare has historically lagged behind other industries in addressing vulnerabilities to the growing number of cyber attacks, and this inaction has a direct negative impact on patient safety and well-being,” said Ryan Witt, cybersecurity leader in healthcare at Proofpoint, in a statement. study was released.
When HHS called for new cybersecurity requirements for hospitals and outlined voluntary CPGs in December, it pledged to work with Congress to develop funding and incentives for domestic hospitals to improve cybersecurity.
“Funding and voluntary targets alone, however, will not achieve the cyber-related behavior change needed in the healthcare sector,” HHS said in the policy announcement.
In developing enforceable cybersecurity standards and strengthening its role, HHS said it would also enforce new cybersecurity requirements “by imposing financial consequences on hospitals,” which health care leaders and the American Hospital Association pushed back on.
“Defeating these hackers will require the combined expertise and authorities of the federal government,” said Rick Pollack, president and CEO of AHA. Healthcare IT news when HHS published the policy document.
ON THE RECORD
“The federal government should leverage expanded public-private partnerships through HSS to strengthen the cyber resilience of healthcare providers and protect the health and safety of the people they serve,” the FDD authors said.
Andrea Fox is editor-in-chief of Healthcare IT News.
Email: afox@himss.org
Healthcare IT News is a HIMSS Media publication.