After a spate of cyberattacks that diverted ambulances from US hospitals, the Department of Health and Human Services has unveiled plans to ramp up federal funding for ill-protected rural hospitals and impose stricter fines for lax security at health care providers.
The new HHS plan, shared exclusively with CNN on Wednesday, is a recognition that the status quo of hacks regularly disrupting health care in America is untenable, and that federal officials and hospital executives need to do much more to combat the problem.
“This is a really urgent threat,” HHS Deputy Secretary Andrea Palm told CNN, adding that there are rural hospitals and other cash-strapped facilities “that really need help investing” in technology and security practices “to help them keep up” the threat.
The release of the plan comes after a Thanksgiving Day ransomware attack on health care conglomerate Ardent Health Services forced hospitals from New Jersey to New Mexico to divert ambulances from emergency rooms. In the last nine months alone, other cyberattacks have resulted in ambulances being diverted from hospitals in Connecticut, Florida, Idaho and Pennsylvania.
The HHS plan focuses on getting more money and training to hospitals that still need to implement basic cybersecurity protections to keep hackers out of their systems. The department also says its willing to use a number of authorities, including imposing monetary fines, to both force and encourage health care organizations to better secure their systems. Key federal programs like Medicare and Medicaid will be used as vehicles for new cybersecurity requirements for hospitals, the plan says.
But many important details have yet to be ironed out. HHS officials say they need a significant increase in funding from Congress to implement the plan but declined to tell CNN how much it would cost. And the plan’s success could rest, at least in part, on how effective and enforceable a set of cybersecurity metrics for health care providers that HHS officials are still crafting with industry insiders. And the department will need to work with Congress to increase fines for violations for failing to protect health information from hackers.
The urgency from HHS comes from the fact that cyberattacks can threaten patient safety. A federal study in 2021 found that a ransomware attack can hinder patient care and strain resources at a hospital for weeks, if not months.
Experts say a lack of money and expertise to deal with cyberattacks is an acute problem for small health care providers across the country. Many of the small health clinics don’t have a dedicated cybersecurity person on staff, Joshua Corman, a cybersecurity expert who specializes in the health sector, told CNN.
Of the 16 sectors that the federal government has designated “critical infrastructure,” the health sector has been most disrupted by ransomware, “with more disruptions, larger disruptions, longer disruptions, and the most life-safety-risk disruptions,” said Corman, who helped lead a federal taskforce to protect coronavirus research from hacking.
Sometimes, hospitals never recover from the hacking incidents. A hospital in Illinois was forced to close in June in part because a cyberattack crippled the billing department.
Historically, federal policies to deal with the problem “have failed to keep pace with these growing harms, and therefore material, not incremental changes, are necessitated to preserve the trust and safety of the public,” Corman said.
And across the Biden administration, officials have long been concerned that software providers continue to sell insecure products that hackers are too easily able to exploit.
“Software quality is still s**t, so until we get people to write and deploy better code, we’re still building critical infrastructure on Swiss cheese,” a US official who has long worked on health care cybersecurity policy told CNN. The official spoke on the condition of anonymity because they were not authorized to talk to the press.
But an awareness of cyber threats among hospital executives has grown in recent years, and US officials say there is a more robust system in place for warning health care facilities of looming threats.
“We continue to work with hospitals that have been the subject of attacks” and share information on the hacks with the health sector, Palm said when asked about the ransomware attack on Ardent Health.