AHA pushes back on HHS proposal to penalize hospitals for cyberattacks

The American Hospital Association says the U.S. Department of Health and Human Services' recently released cybersecurity strategy document, which outlines the agency's “ongoing and planned steps to improve cyber resilience and protect patient safety,” would have counterproductive consequences for hospitals after cyber attacks.

WHY IT MATTERS

In its strategy document, HHS calls for new cybersecurity requirements for hospitals and outlines voluntary healthcare-specific cybersecurity performance goals.

HHS also said it would work with Congress to develop funding and incentives for domestic hospitals to improve cybersecurity through Medicare and Medicaid. It says CMS is working on and will propose new cybersecurity requirements for hospitals through Medicare and Medicaid, and that the Office for Civil Rights will begin adding new cybersecurity requirements to the Health Insurance Portability and Accountability Act Security Rule in spring 2024.

“Funding and voluntary targets alone will not drive the cyber-related behavior change needed in the healthcare sector,” HHS said in the paper policy announcement released on Wednesday.

By developing enforceable cybersecurity standards and strengthening its role, HHS says it will enforce new cybersecurity requirements “by imposing financial consequences on hospitals.”

“HHS will also continue to work with Congress to increase civil monetary penalties for HIPAA violations and increase resources for HHS to investigate potential HIPAA violations, conduct proactive audits, and increase outreach and technical support to underserved organizations scale up resources to improve HIPAA compliance,” the agency said. said.

As Rick Pollack, president and CEO of AHA, said Healthcare IT news by email on Thursday: “No organization, including federal agencies, is or can be immune from cyberattacks.”

AHA's response to HHS on its strategy to improve healthcare cybersecurity was twofold.

The hospital association welcomes both federal expertise and funding investments that will help hospitals and health care systems protect patients from the range of devastating consequences of cyberattacks, Pollock said.

“However, hospitals and healthcare systems have invested billions of dollars and taken many steps to protect patients and defend their networks from cyberattacks,” he said, noting that AHA has worked closely with the FBI, HHS, Cybersecurity and Infrastructure Security Agency and others to prevent cyber attacks.

“However, this battle is largely against sophisticated, foreign-based hackers who often operate with the permission of and in collusion with hostile nation states,” Pollack said. “Defeating these hackers will require the combined expertise and powers of the federal government.”

While many recent cyberattacks in healthcare “have originated from third-party and other vendor technology,” the AHA cannot support proposals for mandatory cybersecurity requirements imposed on hospitals.

THE BIG TREND

In October, HHS and CISA released the Cybersecurity Toolkit for Healthcare and Public Health remedies for healthcare organizations of all sizes to address cyber hygiene and strengthen defenses to stay ahead of ever-evolving threats.

“We have seen a significant increase in the number and severity of cyberattacks against hospitals and healthcare systems in recent years,” HHS Deputy Secretary Andrea Palm said when the toolkit was announced.

Third-party risk management is a challenge for many resource-constrained healthcare organizations, even with provider assessment questionnaires and tools that update risk profiles.

In July, the Health 3rd Party Trust Initiative, which includes a spectrum of healthcare and security organizations such as HITRUST and CORL, said that 55% of healthcare organizations had experienced a third-party breach in the past year.

Health3PT says these organizations are suffering from vendor audit fatigue caused by the mountain of proprietary security questionnaires they receive.

As HIPAA child entities struggle to keep pace, the organization has released a Guided Practices & Implementation Guide to create standards for the TPRM ecosystem and recommends sharing assessments electronically.

ON THE RECORD

“HHS takes these threats very seriously and we are taking steps that will ensure our hospitals, patients and communities affected by cyberattacks are better prepared and safer,” Palm said in the HHS announcement.

“No organization, including federal agencies, is or can be immune from cyber attacks,” Pollack told me Healthcare IT news. “Imposing fines or reducing Medicare payments would reduce hospital resources needed to combat cybercrime and would be counterproductive to our shared goal of preventing cyberattacks.”

Andrea Fox is editor-in-chief of Healthcare IT News.
Email: afox@himss.org
Healthcare IT News is a HIMSS Media publication.