The Foundation for Defense of Democracies offered strong recommendations for the executive branch, Congress and the healthcare ecosystem to address the high level of cybersecurity crime against the healthcare sector.
The new report stresses increasing third-party managed IT services, even part of the time, by under-resourced provider organizations, and enhancing employee cyber hygiene training, but most of FDD’s recommendations were levied at the government.
“The health and welfare of the American people depend on it,” the authors said in the new report.
WHY IT MATTERS
FDD provided an overview of government and industry-led efforts to prevent healthcare cyberattacks in the report, Healthcare Cybersecurity Needs a Check Up. The outcomes of ransomware attacks are not always clear, but have proven to be the most disruptive to services, freezing provider’s systems and stealing protected health information.
Studies of patient harm that follow these incidents “likely undercount the human toll,” the authors, Michael Sugden and Annie Fixler, said.
In the report, they aim to guide the critical sector into a more attack-resilient future, and highlight the unique challenges for rural hospitals, which serve approximately 14% of the U.S. population.
“These hospitals tend to run on extremely tight budgets, with 50% of rural hospitals operating at a loss,” they said. And as a result, they are less prepared to prevent or react to ransomware attacks.
The executive branch must act by updating its strategy for the sector.
“Provide roadmaps to secure key lifesaving services, incorporate stakeholder feedback on cybersecurity goals and address the rural cybersecurity workforce gap,” Sugden and Fixler said.
“The solution to current gaps is not reactive regulation that seeks cybersecurity through compliance. Instead, the sector needs a proactive, collaborative approach,” they added.
Their recommendations for the government include:
- Develop new, long-term sector-specific cybersecurity objectives.
- Work with industry to identify, prioritize and secure lifesaving services.
- Update cybersecurity performance goals iteratively.
- Accelerate the CPG compliance incentivization program’s timeline.
- Create a rural hospital cybersecurity workforce-development strategy.
- Reassess the Systemically Important Entities List.
The recommendation that the government reassess the SIE list is, in part, a reaction to the chain reaction cyberattack experienced by Change Healthcare this year.
The authors also said that the industry “must invest more in cybersecurity, including by properly resourcing security teams, implementing organization-wide cyber hygiene training and developing contingency response plans for destructive cyberattacks.”
While healthcare providers “must ensure that they allocate funding” to prevent and react to cyber incidents, many under-resourced hospitals lack the means. For this, the FDD report recommends that resource-scarce providers hire a cybersecurity resource of contract with part-time cybersecurity, perhaps utilizing managed IT service providers.
Their recommendations for the industry are:
- Spend more on cybersecurity.
- Provide cyber hygiene training to all employees.
- Develop regional contingency plans for healthcare providers.
Sugden and Fixler stressed the importance of employee cyber hygiene training, as phishing is still the most common exploit. It has gained a significant assist from the expanded use of large language models, and they noted that “free or relatively inexpensive” programs exist that can “prevent attacks that would otherwise cost providers millions of dollars or endanger patient lives or privacy.”
They urged Congress to fund relevant executive agencies and programs to support the sector better, noting that the U.S. Health & Human Services requested additional resources to expand its workforce and capabilities dedicated to incident response and mitigation.
In March, the Administration for Strategic Preparedness and Response, HHS’s lead for critical infrastructure protection, requested an additional $5 million for FY 2025 to address workforce needs.
“It is critical that Congress approve this request,” the FDD researchers said.
The recommendations for Congress are:
- Ensure a sector risk-management agency resources and organizational structure are optimally efficient.
- Increase funding for HHS’s SRMA capabilities.
- Fund HHS’s CPG resourcing and incentive program.
- Direct and resource HHS to establish a rural virtual chief information security officer pilot program.
THE LARGER TREND
There’s a direct link between hospital cyberattacks and patient mortality, according to a 2022 Ponemon Institute and Proofpoint study that found that more than 20% of healthcare organizations hit with ransomware or another type of cyberattack subsequently experienced an increase in mortality rates.
“Healthcare has traditionally fallen behind other sectors in addressing vulnerabilities to the growing number of cybersecurity attacks, and this inaction has a direct negative impact on patients’ safety and wellbeing,” Ryan Witt, healthcare cybersecurity leader at Proofpoint, said in a statement when the study was released.
In December, when HHS called for new cybersecurity requirements for hospitals and outlined voluntary CPGs, it pledged to work with Congress to develop funding and incentives for domestic hospitals to improve their cybersecurity.
However, “funding and voluntary goals alone will not drive the cyber-related behavioral change needed across the healthcare sector,” HHS said in the policy announcement.
By developing enforceable cybersecurity standards and strengthening its role, HHS said it would also enforce new cybersecurity requirements “through the imposition of financial consequences for hospitals,” to which healthcare leaders and the American Hospital Association pushed back.
“Defeating these hackers requires the combined expertise and authorities of the federal government,” Rick Pollack, AHA’s president and CEO, told Healthcare IT News when HHS released the policy paper.
ON THE RECORD
“The federal government should utilize extensive public-private collaboration through HSS to strengthen healthcare providers’ cyber resiliency and protect the health and safety of the people they serve,” the FDD authors said.
Andrea Fox is senior editor of Healthcare IT News.
Email: afox@himss.org
Healthcare IT News is a HIMSS Media publication.