The Biden administration is expected to announce new cybersecurity requirements for hospitals, as reported by The Messenger. These forthcoming regulations are intended to strengthen digital defenses in healthcare facilities, with federal funding contingent on the implementation of basic security measures.
The Centers for Medicare & Medicaid Services, a branch of the Department of Health and Human Services, is set to propose these rules within the next month. The regulations will require hospitals to establish fundamental digital security protocols in order to qualify for federal funding. A senior administration official, speaking on the condition of anonymity, indicated that these requirements are expected to be enforced before the end of the year.
Hospitals have been frequent targets for cybercriminals due to their reliance on technology for administrative and medical purposes. Recent incidents, such as the cyberattack on Tennessee-based Ardent Health Services, have underscored the vulnerabilities in the healthcare system. These attacks have resulted in the diversion of ambulances, rescheduling of procedures, and even the cancellation of surgeries, highlighting the critical need for enhanced cybersecurity measures.
Striking a balance: Cybersecurity and healthcare operations
In response to these growing threats, the Biden administration has been actively considering strategies to improve security standards in the healthcare industry. The new cyber rules will add to the extensive list of requirements hospitals must meet to receive reimbursement from Medicare and Medicaid programs.
Key elements of the new requirements include the implementation of multi-factor authentication and the establishment of a program to promptly address software vulnerabilities. These basic security practices are expected to significantly reduce the risk of cyber incidents.
This move by the Biden administration signifies a departure from the government’s traditional approach to cybersecurity. While the government has historically refrained from imposing specific cybersecurity mandates on critical industries, the administration has recently taken a more proactive stance. Following the May 2021 Colonial Pipeline ransomware attack, the Transportation Security Administration introduced cyber rules for pipeline operators, which later influenced similar regulations for the aviation and rail industries.
Health and Human Services is now set to follow TSA’s lead with its own set of cybersecurity rules for hospitals. While some requirements will be clearly defined, others will offer more flexibility, allowing hospitals to customize certain aspects, such as the timeframe for software patches, to their specific needs.
The administration anticipates negotiations during the public comment period following the rule’s release. Drawing from the TSA experience, the official noted that starting with more prescriptive requirements could facilitate easier adjustments based on industry feedback.
The reaction of the hospital industry to these impending rules remains uncertain. The American Hospital Association previously criticized the government’s plan to link cybersecurity requirements to federal funding. HHS has not yet commented on the potential for legal challenges to these new regulations.
This development could potentially lead to a standoff between the Biden administration and the hospital industry, reminiscent of the Environmental Protection Agency’s withdrawal of cybersecurity rules for water facilities following legal challenges. As the administration gears up to implement these critical cybersecurity measures, the healthcare sector braces for impactful changes in its operational landscape.
