Health systems welcome more funding and support, but they're not happy about the potential of penalties for breaches.
When the U.S. Department of Health and Human Services released a paper this month outlining a healthcare cybersecurity strategy, hospitals found some appealing concepts.
In the paper, issued Dec. 6, the department said it would provide more resources to help promote recommended cybersecurity practices in healthcare. HHS pledged to expand and improve its “one-stop shop” for cybersecurity support in the department.
However, the health department’s paper also discussed the need for “greater enforcement and accountability.” HHS said it would work with Congress to increase monetary penalties for violations of federal patient privacy regulations (HIPAA). The Centers for Medicare & Medicaid Services also plans to introduce cybersecurity requirements through Medicare and Medicaid.
Hospitals criticized the idea of hefty fines for cyberattacks.
Rick Pollack, president of the American Hospital Association, said that levying fines on hospitals would be counterproductive. Hospitals are already spending considerable sums to deter cyberattacks, and organizations that suffer breaches already face heavy costs. The average cost of a healthcare data breach is nearly $11 million, according to an analysis by IBM Security.
“The AHA cannot support proposals for mandatory cybersecurity requirements being levied on hospitals as if they were at fault for the success of hackers in perpetrating a crime,” Pollack said in a statement.
“Many recent cyberattacks against hospitals have originated from third-party technology and other vendors,” he said. “No organization, including federal agencies, is or can be immune from cyberattacks. Imposing fines or cutting Medicare payments would diminish hospital resources needed to combat cyber crime and would be counterproductive to our shared goal of preventing cyberattacks.”
Pollack did make it clear that the association embraces some aspects of the HHS strategy, including the prospect of additional federal aid and sharing of knowledge.
“The AHA welcomes the investment of federal expertise and funding in protecting hospital and health system patients from heinous attacks on critical health care infrastructure,” he said in the statement. “However, this fight is largely against sophisticated foreign-based hackers who often work at the permission of and in collusion with hostile nation states. Defeating these hackers requires the combined expertise and authorities of the federal government.”
Mike Hamilton, the founder and chief information security officer of Critical Insight, a cybersecurity firm, says the government needs to do more to help hospitals and health systems. He shared his thoughts in a recent installment of the Chief Healthcare Executive® podcast, Data Book.
“More funding needs to be made available to the healthcare sector,” Hamilton said. “And I think more importantly, we need to start making people available to the healthcare sector, because right now, they cannot attract and retain qualified practitioners.”
Healthcare leaders have said it’s difficult to find and keep cybersecurity professionals, because they can earn higher salaries in other industries.
In its paper, the health department says it is going to develop voluntary cybersecurity performance goals. HHS said it would come up with “essential” goals for minimal standards, and “enhanced” goals for more robust practices.
The health department also said it would work with Congress to provide money for cybersecurity investments, including “high-need healthcare providers, such as low-resourced hospitals.” HHS also described an “incentives program” to encourage all hospitals to improve their defenses.
Scores of hospitals and health systems have suffered cyberattacks in recent years, leading to heavy financial burdens and disruptions of patient care.
Read more on cybersecurity from Chief Healthcare Executive:
Protecting patients in a cyberattack: Guidance from the Joint Commission
FTC, HHS warn hospitals of risks from online tracking tools and potential penalties
Hospitals relieved by Johnson & Johnson reversal on rebate plan, but 340B battle goes on
Published: October 3rd 2024 | Updated: October 3rd 2024The drug giant is abandoning a plan to require hospitals to submit requests for rebates in the 340B drug discount program. The government threatened to remove the company’s drugs from Medicare and Medicaid programs.