Healthcare Sector Cybersecurity Recommendations Needed Amidst Attacks

Andrea Fox, writing in Health IT News, notes that rural hospitals are frequent victims of ransomware attacks, and rural patients with no nearby alternatives for lifesaving care are at high risk because of it. A report by the Foundation for Defense of Democracies (FDD), says that government, congress, and the industry must act on healthcare sector cybersecurity.

The report offers some strong recommendations for how the government can help the healthcare sector address cybersecurity crime. “The health and welfare of the American people depend on it,” the authors say. “Rural hospitals tend to run on extremely tight budgets, with 50 percent operating at a loss,” and as a result, they are less prepared to prevent or react to ransomware attacks. 

The recommendations for the government include:

• Develop new, long-term sector-specific cybersecurity objectives
• Work with industry to identify, prioritize, and secure lifesaving services
• Update cybersecurity performance goals iteratively
• Accelerate the compliance policy guides
• Create a rural hospital cybersecurity workforce-development strategy
• Reassess the Systemically Important Entities List (in part a reaction to the cyberattack on Change Healthcare earlier this year, which affected the whole healthcare system).

In December, when the Dept. of Health and Human Services called for new cybersecurity requirements for hospitals and outlined voluntary compliance policy guides, it added a disclaimer: “Funding and voluntary goals alone will not drive the cyber-related behavioral change needed across the healthcare sector.” It said that HHS would enforce new cybersecurity requirements “through the imposition of financial consequences for hospitals.”

Healthcare leaders and the American Hospital Association pushed back on that and stated that many under-resourced hospitals lack the means to pay more for healthcare sector cybersecurity. The FDD report recommends that providers that lack the money to hire a cybersecurity team utilize managed IT service providers.