After Barrage of Hacks Hospitals Will Face New Federal Cybersecurity Rules Tied to Funding The Messenger
pThe Biden administration plans to unveil new cybersecurity requirements for hospitals in the coming weeks as government officials scramble to stem a disturbing tide of hacks that have crippled healthcare providers delayed procedures and raised concerns about patient safetyppThe Centers for Medicare Medicaid Services an arm of the Department of Health and Human Services will propose rules within the next month or so that would require hospitals to establish basic digital security defenses in order to receive federal funding according to a senior administration officialppThe government is homing in on those key cybersecurity practices that we really do believe bring a meaningful impact said the official who requested anonymity to preview an upcoming policy The official said the government expects the new requirements to take effect before the end of the yearppHospitals have been a top target of cyber criminals for years because of their heavy dependence on technology for both routine administrative tasks and complicated medical procedures Last November for instance a cyberattack on Tennesseebased firm Ardent Health Services forced hospitals in several states to divert ambulances to other emergency rooms and reschedule nonemergency procedures And in August an attack on a Californiabased hospital chain similarly forced the cancellation of surgeries and the closure of urgentcare centersppAs cyberattacks have pushed hospitals across the country to the breaking point the Biden administration has been weighing its options for enforcing better security in the industry Now under a plan that Health and Human Services finalized late last year the administration is about to actppThe new cyber rules will join a vast collection of requirements governing how hospitals must operate from building design to patient interactions if they want the federal governments Medicare and Medicaid programs to reimburse their expensesppThe requirements will include using multifactor authentication which adds an extra login step after the traditional password and operating a program to fix software vulnerabilities within a set amount of time after they are discovered The senior administration official said basic security practices like these really do shut the door to most of our cyber incidents ppAfter decades in which the government mostly avoided telling critical industries how to protect themselves from hackers the Biden administration has mounted an ambitious effort to enact new cybersecurity requirements using agencies existing authorities Following the May 2021 Colonial Pipeline ransomware attack which snarled fuel supplies up and down the East Coast the Transportation Security Administration issued cyber rules for pipeline operators The TSA subsequently made those rules more flexible after criticism from the industry and that process paved the way for similar requirements for the aviation and rail industriesppHealth and Human Services is following in the TSAs footsteps with its hospital cybersecurity rules the senior administration official said Some of the requirements like using multifactor authentication will be clearly defined and prescriptive while others like the obligation to maintain a vulnerabilityfixing process will leave the details such as the required timeframe for patching software flaws up to individual hospitalsppThe administration expects to haggle over the details of certain requirements during the public comment period after the rule is released Its easier to have negotiations if we start with something more prescriptive and then dial back as we did with TSA the official saidppIt remains to be seen how the powerful hospital industry will respond to the new rules But it appears likely that the Biden administration will have a fight on its hands After Health and Human Services first indicated last December that regulations were coming the American Hospital Association blasted the governments plan to impose requirements that were tied to federal fundingppThe AHA declined to comment on the new details of the rules Health and Human Services did not respond to a request for comment about whether it expected a legal challenge to the forthcoming rulesppIf the hospital industry chooses to fight the Biden administrations plan there is a precedent for success Last October the Environmental Protection Agency withdrew cybersecurity rules for water facilities after the water industry partnered with Republican state attorneys general to sue the agency over the requirementsppp