The Biden administration is set to unveil new cybersecurity requirements for hospitals, as per a recent report by The Messenger. These forthcoming regulations aim to fortify digital defenses in healthcare facilities, ensuring federal funding is contingent on the implementation of basic security measures.
The Centers for Medicare & Medicaid Services, a branch of the Department of Health and Human Services, is expected to propose these rules within the next month. These regulations will mandate hospitals to establish fundamental digital security protocols to qualify for federal funding. A senior administration official, speaking on the condition of anonymity, indicated that these requirements are anticipated to be enforced before the year’s end.
Hospitals have long been prime targets for cybercriminals due to their reliance on technology for both administrative and medical purposes. Recent incidents, such as the cyberattack on Tennessee-based Ardent Health Services, have highlighted the vulnerabilities in the healthcare system. These attacks have led to the diversion of ambulances, rescheduling of procedures, and even the cancellation of surgeries, underscoring the critical need for enhanced cybersecurity measures.
Striking a balance: Cybersecurity and healthcare operations
In response to these growing threats, the Biden administration has been actively deliberating on strategies to improve security standards in the healthcare industry. The new cyber rules will add to the extensive list of requirements hospitals must meet to receive reimbursement from Medicare and Medicaid programs.
Key elements of the new requirements include the implementation of multi-factor authentication and the establishment of a program to promptly address software vulnerabilities. These basic security practices are expected to significantly mitigate the risk of cyber incidents.
This move by the Biden administration marks a shift in the government’s approach to cybersecurity. Traditionally, the government has refrained from imposing specific cybersecurity mandates on critical industries. However, the administration has recently adopted a more proactive stance. Following the May 2021 Colonial Pipeline ransomware attack, the Transportation Security Administration introduced cyber rules for pipeline operators, which later influenced similar regulations for the aviation and rail industries.
Health and Human Services is now set to follow TSA’s lead with its own set of cybersecurity rules for hospitals. While some requirements will be clearly defined, others will offer more flexibility, allowing hospitals to tailor certain aspects, such as the timeframe for software patches, to their specific needs.
The administration anticipates negotiations during the public comment period following the rule’s release. Drawing from the TSA experience, the official noted that starting with more prescriptive requirements could facilitate easier adjustments based on industry feedback.
The reaction of the hospital industry to these impending rules remains uncertain. The American Hospital Association previously criticized the government’s plan to link cybersecurity requirements to federal funding. HHS has not yet commented on the potential for legal challenges to these new regulations.
This development could potentially lead to a standoff between the Biden administration and the hospital industry, reminiscent of the Environmental Protection Agency’s withdrawal of cybersecurity rules for water facilities following legal challenges. As the administration gears up to implement these critical cybersecurity measures, the healthcare sector braces for impactful changes in its operational landscape.