The Foundation for Defense of Democracies has made some strong recommendations to executive branches, Congress and the healthcare ecosystem as a starting point for addressing the plethora of cybersecurity crimes against the healthcare sector. While the new report highlights more third-party managed IT services, even part-time, by resource-strapped provider organizations and more cyber hygiene training for employees, most of the recommendations from the Foundation for Defense of Democracies are government-imposed.
“The health and well-being of the American people depend on it,” the authors said in the new report.
Why is this important?
In its report, “Healthcare Cybersecurity Needs an Inspection,” FDD outlined government and industry-led efforts to prevent healthcare cyberattacks. The consequences of ransomware attacks, which have proven to cause the most disruption to services, freezing provider systems and stealing protected health information, are not always clear-cut.
Studies of patient harm from these incidents “probably underestimate the human cost,” say authors Michael Sugden and Annie Fickler.
The report highlights the unique challenges facing rural hospitals, which serve roughly 14% of the U.S. population, and aims to lead the critical sector into a future that is more resilient against attacks.
“These hospitals tend to operate on extremely tight budgets, with 50% of rural hospitals operating at a loss,” the researchers said, leaving them ill-prepared to prevent or respond to ransomware attacks.
Government agencies need to update their strategies in this area and act.
“It provides a roadmap for securing critical life-saving services, incorporates stakeholder feedback on cybersecurity goals, and addresses local cybersecurity talent shortages,” Sugden and Fixler said.
“The solution to the current gap is not passive regulation that requires cybersecurity through compliance. Instead, the industry needs a proactive and collaborative approach,” they added.
Their recommendations to the government include:
- Develop new long-term sector-specific cybersecurity goals.
- Working with industry to identify, prioritise and secure life-saving services.
- Iteratively update your cybersecurity performance goals.
- Accelerate timelines for CPG compliance incentive programs.
- Developing a cybersecurity talent development strategy for rural hospitals
- Reassessing the list of systemically important entities
The recommendation for the government to reassess the SIE list is also a response to the cascading cyber attacks experienced by Change Healthcare this year.
The authors also said the industry needs to “increase investments in cybersecurity, including allocating appropriate resources to security teams, implementing cyber hygiene training across the organization, and developing emergency response plans for disruptive cyber attacks.”
Healthcare providers “need to ensure they allocate funding” to prevent and respond to cyber incidents, but many resource-strapped hospitals don't have the means to do so. For this reason, the FDD report recommends that resource-strapped healthcare providers leverage managed IT service providers to contract with part-time cybersecurity personnel and hire cybersecurity resources.
Their recommendations for the industry include:
- Spend more on cybersecurity.
- Provide cyber hygiene training to all employees.
- Develop local emergency response plans for health care providers.
With phishing remaining the most common attack, aided greatly by the expanding use of large-scale language models, Sugden and Fixler stressed the importance of employee cyber hygiene training, noting that “free or relatively inexpensive” programs exist that can “prevent attacks that would otherwise cost healthcare providers millions of dollars and put the lives and privacy of patients at risk.”
They noted that the U.S. Department of Health and Human Services has requested additional funding to expand personnel and capabilities dedicated to incident response and mitigation, and urged Congress to provide funding to relevant executive agencies and programs to better support this area.
In March, the Strategic Preparedness and Response Office, the agency responsible for protecting HHS's critical infrastructure, requested an additional $5 million in fiscal year 2025 to address workforce needs.
“It is critical that Congress approve this request,” the FDD researchers said.
The recommendations to Congress are:
- Ensure that the resources and organizational structure of sector risk management agencies are optimally efficient.
- Increases funding for HHS's SRMA functions.
- Provides funding for HHS's CPG Resource and Incentive Programs.
- Provides direction and resources to HHS to establish a regional virtual chief information security officer pilot program.
Larger trends
There is a direct link between cyberattacks on hospitals and patient mortality, with a 2022 Ponemon Institute and Proofpoint study finding that more than 20% of healthcare organizations that suffered ransomware or other types of cyberattacks experienced increased mortality rates afterwards.
“The healthcare industry has traditionally lagged behind other industries in addressing its vulnerabilities to increasing cybersecurity attacks, and this neglect has a direct negative impact on patient safety and health,” Ryan Witt, healthcare cybersecurity leader at Proofpoint, said in a statement when the study was released.
When HHS called for new cybersecurity requirements for hospitals and outlined a voluntary CPG in December, it pledged to work with Congress to develop funding and incentives for the nation's hospitals to improve their cybersecurity.
But in its policy announcement, the Department of Health and Human Services said, “funding and voluntary targets alone will not drive the cyber-related behavior change that is needed across the health care sector.”
HHS's expanded role in creating enforceable cybersecurity standards would also enforce new cybersecurity requirements “through financial consequences for hospitals,” a move pushed back against it by healthcare industry leaders and the American Hospital Association.
“Take down these hackers will require the combined expertise and power of the federal government,” said AHA President and CEO Rick Pollack. Healthcare IT News When HHS released the policy document.
Be on record
“The federal government, through the HSS, should leverage broad public-private partnerships to strengthen the cyber resilience of health care providers and protect their health and safety,” the FDD authors said.
Andrea Fox is a senior editor at Healthcare IT News.
Email: afox@himss.org
Healthcare IT News is a publication of HIMSS Media.