Cybersecurity incidents affecting healthcare providers are growing. Data reported to the U.S. Department of Health & Human Services (HHS) Office for Civil Rights (OCR) show a 93% increase in large breaches from 2018 (369) to 2022 (712). As the risk to healthcare delivery has increased, so has interest in Congress and by the administration in actions to address perceived vulnerabilities in critical infrastructure. Historically, many small and rural hospitals have approached cybersecurity as an “IT issue.” However, it is now an enterprise risk, given the potentially significant impact on patient outcomes and organizational finances. To help reduce operational, regulatory, and reputational risks, small and rural hospitals should leverage complimentary resources made available by various federal agencies to identify and address vulnerabilities in their current IT systems and to help improve mitigation and incident response plans.
Washington Responds to the Change Healthcare Breach
Like the threat environment, the regulatory environment is evolving. While interest in strengthening cybersecurity requirements for providers was increasing prior to the Change Healthcare breach, both Congress and the administration have signaled a need for action in the aftermath.
Administration Takes Action: The administration has provided resources to help rural hospitals improve security and is preparing to issue a proposed rule increasing requirements on providers. In June, the White House announced discounted cybersecurity resources from Microsoft and Google to help rural hospitals improve their preparedness for a cyber incident. However, as of September, only 20% of the approximately 1,800 eligible hospitals have taken advantage of the resources.
Further, the HHS OCR’s proposed rule, Proposed Modifications to the HIPAA Security Rule to Strengthen the Cybersecurity of Electronic Protected Health Information, is under review at the Office of Management and Budget (OMB). Given the rule was received by OMB in mid-October, it will likely be published in the Federal Register by spring 2025.
Legislation Introduced: In the wake of the Change Healthcare breach, both the House and Senate have introduced legislation to bolster cybersecurity at healthcare organizations.
- Health Infrastructure Security and Accountability Act (S.5218): The bill was introduced in the Senate in September by Ron Wyden (D-OR) and co-sponsored by Mark Warner (D-VA). It provides $800 million in upfront investment payments to rural and urban safety net hospitals and $500 million to all hospitals to adopt enhanced cybersecurity standards. The bill also requires HHS to develop a set of minimum cybersecurity standards for providers, health plans, clearinghouses, and business associates and increase fines for noncompliance with security standards for health information.
- Healthcare Cybersecurity Act (R.9412/S.4697): The bill has bipartisan support in both chambers and was recommended for further consideration in the Senate by the Committee on Homeland Security and Governmental Affairs.1 It requires the Cybersecurity and Infrastructure Security Agency (CISA) and HHS to collaborate and implement measures improving cyber defenses in the healthcare sector. This includes providing resources to nonfederal entities to bolster cybersecurity.
It is uncertain whether either of these bills will pass during this Congress. If neither bill makes it to the President’s desk, it is likely legislation increasing cybersecurity requirements for healthcare organizations will pass in the future. Each new, significant incident will renew Congress’s interest in legislation addressing perceived vulnerabilities in critical infrastructure like hospitals where downtime poses a risk to the health of individuals in the affected communities.
Enterprise Risk
The risk to patient care and the financial cost of a breach for a healthcare system is significant. Research shows 44% of ransomware attacks disrupted patient care, with over 15% of attacks disrupting care for over a week.2 On average, a cyber incident costs healthcare organizations $10 million. To date, these events have had minimal impact on credit ratings; however, S&P Global notes this is an area that requires proactive attention3 and will be an ongoing discussion item with management teams. Given the enterprise risk posed by a breach, hospitals—particularly small and rural hospitals—should continually re-evaluate their cybersecurity measures.
Complimentary Resources for Hospitals
Maintaining up-to-date cybersecurity measures is challenging for many small and rural hospitals due to limited budgets and staffing. While various government agencies provide resources at no cost that hospitals can utilize to enhance their cybersecurity, it can be difficult to identify those that are most relevant. Below is a curated list of cybersecurity resources that rural and small hospitals may find useful as they look to evaluate and improve cybersecurity at their organization.
CISA: CISA offers a range of resources tailored to healthcare institutions’ unique needs. These resources include cybersecurity alerts, best practices, and incident response services, which can significantly enhance a hospital’s cybersecurity posture.
- Cyber Hygiene Services: CISA provides vulnerability scanning and phishing assessments for organizations, helping rural hospitals identify security weaknesses.
- Cybersecurity Services and Tools/Cyber Essentials Toolkits: These tools provide a framework to help hospitals build a solid cybersecurity foundation.
- Mitigation Guide: Healthcare and Public Health (HPH) Sector: The guide offers recommendations and best practices to combat pervasive cyber threats affecting the HPH Sector.
- Tabletop Exercises: Tools for stakeholders to conduct tabletop exercises on various threat scenarios.
National Institute of Standards and Technology (NIST) Cybersecurity Framework (CSF): NIST provides a widely recognized CSF, a set of guidelines to help healthcare organizations manage and reduce cybersecurity risks.
- CSF Framework: This framework is a set of guidelines that can be tailored to the unique needs of smaller institutions, including rural hospitals. It covers all aspects of cybersecurity, from identifying and protecting against threats to responding and recovering from them.
- NIST Health IT Program: This program can help improve the quality and availability of healthcare by establishing an emerging health IT network that is correct, complete, secure, usable, and testable.
HHS OCR: OCR enforces the HIPAA Security Rule, which requires hospitals to safeguard patient information. OCR provides guidance on complying with these requirements.
- Security Risk Assessment (SRA) Tool: Designed to help small healthcare organizations, including rural hospitals, conduct thorough security assessments.
- Health Industry Cybersecurity Practices: “Managing Threats and Protecting Patients (HICP 2023 Edition)” outlines the healthcare and public health sector’s top threats.
By utilizing these practical resources provided by government agencies, small and rural hospitals can bolster their cybersecurity posture and protect their critical health systems from growing cyberthreats. Our team has extensive experience helping healthcare organizations improve their preparedness for a cybersecurity incident. If you have questions or need assistance improving your organization’s cybersecurity, please reach out to a professional at Forvis Mazars.
- 1“S. 4697: Healthcare Cybersecurity Act of 2024,” govtrack.us.
- 2“Trends in Ransomware Attacks on US Hospitals, Clinics, and Other Health Care Delivery Organizations, 2016-2021,” jamanetwork.com, December 29, 2022.
- 3“Cyber Risk In Health Care: High Stakes, Valuable Data, And Increasing Connectivity Attract Bad Actors,” spglobal.com, December 6, 2022.