AHA pushes back on HHS proposal to penalize hospitals for cyberattacks

"The AHA cannot support proposals for mandatory cybersecurity requirements being levied on hospitals as if they were at fault for the success of hackers in perpetrating a crime," says Rick Pollack, president and CEO of the American Hospital Association.
By Andrea Fox
10:35 AM

Photo: Getty

The American Hospital Association says the newly released U.S. Department of Health and Human Services' healthcare sector cybersecurity strategy paper, which outlines the agency's "ongoing and planned steps to improve cyber resiliency and protect patient safety," would have counterproductive consequences on hospitals after cyberattacks.

WHY IT MATTERS

In its strategy paper, HHS calls for new cybersecurity requirements for hospitals and outlines voluntary healthcare-specific cybersecurity performance goals.

HHS also said it would work with Congress to develop funding and incentives for domestic hospitals to improve cybersecurity through Medicare and Medicaid. It said CMS is working on and will propose new cybersecurity requirements for hospitals through Medicare and Medicaid and the Office for Civil Rights will begin adding new cybersecurity requirements to the Health Insurance Portability and Accountability Act Security Rule in the spring of 2024.

"Funding and voluntary goals alone will not drive the cyber-related behavioral change needed across the healthcare sector," HHS said in the policy announcement released Wednesday.

By developing enforceable cybersecurity standards and strengthening its role, HHS said it will enforce new cybersecurity requirements "through the imposition of financial consequences for hospitals."

"HHS will also continue to work with Congress to increase civil monetary penalties for HIPAA violations and increase resources for HHS to investigate potential HIPAA violations, conduct proactive audits and scale outreach and technical assistance for low-resourced organizations to improve HIPAA compliance," the agency said. 

As Rick Pollack, AHA’s president and CEO, told Healthcare IT News by email on Thursday: "No organization, including federal agencies, is or can be immune from cyberattacks."

AHA's response to HHS on its strategy to enhance healthcare cybersecurity was twofold. 

The hospital organization welcomes both federal expertise and funding investments that help hospitals and health systems protect patients from the range of devastating effects of cyberattacks, Pollock said.

However, "hospitals and health systems have invested billions of dollars and taken many steps to protect patients and defend their networks from cyberattacks," he said, noting AHA has worked closely with the FBI, HHS, Cybersecurity and Infrastructure Security Agency and others to prevent cyberattacks.

"However, this fight is largely against sophisticated foreign-based hackers who often work at the permission of and in collusion with hostile nation-states," Pollack said. "Defeating these hackers requires the combined expertise and authorities of the federal government."

Where many recent healthcare cyberattacks have "originated from third-party technology and other vendors," the AHA cannot support proposals for mandatory cybersecurity requirements being levied on hospitals.

THE LARGER TREND

In October, HHS and CISA released the Cybersecurity Toolkit for Healthcare and Public Health remedies for healthcare organizations of all sizes and to address cyber hygiene and strengthen defenses to stay ahead of constantly evolving threats.

"We have seen a significant rise in the number and severity of cyber attacks against hospitals and health systems in the last few years," HHS Deputy Secretary Andrea Palm said when the tool kit was announced.

Third-party risk management is a challenge for many resource-limited healthcare organizations, even with vendor assessment questionnaires and tools that update risk profiles.

In July, the Health 3rd Party Trust Initiative, which comprises a spectrum of healthcare and security organizations such as HITRUST and CORL, said that 55% of healthcare organizations experienced a third-party breach in the previous year. 

Health3PT said these organizations are experiencing vendor audit fatigue caused by the mountain of proprietary security questionnaires they receive. 

With HIPAA-covered entities struggling to keep pace, the organization released a Recommended Practices & Implementation Guide to create standards for the TPRM ecosystem and recommends sharing assessments electronically. 

ON THE RECORD

"HHS takes these threats very seriously, and we are taking steps that will ensure our hospitals, patients and communities impacted by cyberattacks are better prepared and more secure," said Palm in the HHS announcement.

"No organization, including federal agencies, is or can be immune from cyberattacks," Pollack told Healthcare IT News. "Imposing fines or cutting Medicare payments would diminish hospital resources needed to combat cybercrime and would be counterproductive to our shared goal of preventing cyberattacks."

Andrea Fox is senior editor of Healthcare IT News.
Email: afox@himss.org

Healthcare IT News is a HIMSS Media publication.

Want to get more stories like this one? Get daily news updates from Healthcare IT News.
Your subscription has been saved.
Something went wrong. Please try again.