listen to article
This voice is automatically generated. Please let us know if you have any feedback.
A new federal law aimed at setting cybersecurity standards for healthcare organizations is needed, but many hospitals may need even more funding to comply with their defenses and maintain their improvements. Experts say it's expensive.
The Health Infrastructure Security and Accountability Act, introduced last month by Sen. Ron Wyden, D-Ore., and Sen. Mark Warner, D-Virginia, would require HHS to protect health care providers, health plans, and claims. It directs the establishment of minimum cybersecurity standards for administrative and medical institutions. This includes stronger requirements for systemically important organizations and organizations deemed key to national security.
Targeted companies would also be required to conduct annual security risk audits and provide funding to help hospitals adopt cybersecurity practices. The bill was referred to the Senate Finance Committee for consideration late last month.
“With hacks already targeting institutions across the country, it's time for healthcare providers and vendors to go beyond voluntary standards and get serious about cybersecurity and patient safety,” Warner said in a statement when the bill was announced. I’ve come,” he said.
Experts say the bill is a good starting point to strengthen cyber preparedness, especially since the healthcare sector is often vulnerable to dangerous attacks.
“We can't force the entire industry to do what it wants,” said Steve Cagle, CEO of healthcare cybersecurity company Clearwater. “It's a bit of a Wild West feel.”
“A small drop in the sea”
The bill would allocate $800 million over two years to 2,000 rural and urban safety-net hospitals to implement mandatory cybersecurity standards. It will also provide $500 million to encourage all hospitals to follow enhanced cyber practices.
But those funds likely won't be enough for all hospitals to implement and maintain cyber improvements, said David Chaddock, managing director of the cybersecurity practice at consulting firm West Monroe. Ta.
“It would be just a drop in the ocean,” he said.
The problem, Cagle said, is that cybersecurity is not a one-time investment; it's an ongoing effort that requires a lot of people.
Finding workers may be difficult. There is already a global shortage of cybersecurity talent, and salaries in health systems often cannot compete with salaries in other sectors that also seek cyber talent.
Hospitals lacking resources likely don't have the scale to attract experienced cybersecurity leaders and may need to outsource their cybersecurity programs to outside providers to keep up, Cagle said. said.
It can be difficult to fit it into a budget, especially if the hospital has other needs that must be addressed, such as new equipment or nurse staffing.
Some smaller hospitals may only employ one or two people total in their IT department, while larger health systems may have dozens of people dedicated solely to security.
Monitoring for threats, detecting suspicious activity, responding to potential attacks and patching vulnerabilities in hospital technology systems is a 24/7 job that is required 365 days a year, Cagle said. It is said that
And this does not include other important tasks such as policy and procedure development, technical testing, and risk analysis.
“These are the basic, essential things that we have to have. It's multiple people, multiple skill sets,” Cagle said. “The money will help them. (But) we're not going to give them enough personnel.”
More prescriptive cyber assessments
HIPAA has long been the go-to law when it comes to health care privacy and security, said Melissa Crespo, a partner at law firm Morrison Foerster.
However, this law was enacted in 1996, and times were different when it came to medical technology. Even when Crespo began practicing years later, most data breaches involved the loss of laptops or paper records, not ransomware attacks sponsored by hostile states.
HIPAA also requires covered entities to conduct security risk assessments, but Crespo said this is a more general framework and organizations can conduct reviews internally.
The latest bill is more prescriptive, requiring healthcare organizations to document independent security risk analyses, develop recovery plans in the event of an attack, and conduct annual stress tests of their capabilities.
The company's CEO and chief information security officer must ensure that their company is in compliance and must not knowingly submit false documentation regarding its cyber posture or file a report. Intentional failure to do so may result in fines or imprisonment.
This responsibility may cause some potential leaders to avoid the role, Crespo said.
“This is a double-edged sword because it can scare away many people who might otherwise be strong security advocates for the organization away from that role,” she said. “But at the same time, it increases the burden and compliance obligations and the need to get it right.”
HHS will also take on new oversight responsibilities. The bill would require authorities to annually audit the data security practices of at least 20 covered entities or business partners selected based on their systemic importance, complaints about the practices, and past history of violations. There is.
West Monroe's Chaddock said some of those decisions could be based on priorities or service territory, with an emphasis on East Coast hospitals closer to government facilities.
Experts say this will place an additional burden on both medical institutions and health services. But Elizabeth Sutherlan, a partner in West Monroe's healthcare and life sciences practice, said the industry is used to strict regulatory requirements.
“Hospitals are used to dropping everything when (the joint committee) arrives and just doing it,” she says. “(…) If it is not clear what has to be done during an audit, there will be confusion. And if it is unpredictable, it will be chaos. If so, the hospital can deal with it.”
