Bipartisan Legislation Introduced to Address Rural Hospital Cybersecurity Skill Gaps | #hacking | #cybersecurity | #infosec | #comptia | #pentest | #hacking | #aihp

Posted By HIPAA Journal on May 22, 2023

New bipartisan legislation has recently been introduced to help address the current shortage of cybersecurity skills at rural hospitals. The Rural Hospital Cybersecurity Enhancement Act was introduced by Sen. Gary Peters (D-MI), chair of the Senate Homeland Security and Governmental Affairs Committee, and Sen. Josh Hawley (R-MO), committee member.

Cyberattacks on healthcare organizations have increased significantly over the past few years. These attacks cause considerable disruption to patient care and can put lives at risk and while health systems have increased investment in cybersecurity, many small and rural hospitals lack the necessary resources and struggle to hire skilled cybersecurity professionals. At a recent Senate Homeland Security and Governmental Affairs Committee hearing, cybersecurity experts testified about the current healthcare cybersecurity challenges. Kate Pierce, former CIO and CISO at North County Hospital in Vermont and executive at Fortified Health Security said cybercriminals have shifted their focus and are now actively targeting small and rural hospitals. Large health systems have implemented advanced cybersecurity measures and employ large cybersecurity teams to manage their sophisticated defenses, but there is a large disparity in cybersecurity spending at small and rural hospitals, which tend to have much weaker defenses.

“A basic security measure like 24/7 monitoring of systems is “pie-in-the-sky” for these organizations,” explained Pierce at the hearing. “Despite all the guidance, recommendations and services provided over the past few years by HSCC, 405(d), H-ISAC, CISA, and other organizations, I have found that the vast majority of small and rural hospitals are unaware of these resources, and too overwhelmed to take advantage of these valuable tools.”

The Rural Hospital Cybersecurity Enhancement Act requires the Cybersecurity and Infrastructure Security Agency (CISA) to develop a comprehensive cybersecurity workforce development strategy for healthcare facilities that provide inpatient and outpatient care services in non-urbanized areas. The strategy should include public-private partnerships, the development of curricula and training resources, and policy recommendations. The bill requires the Director of CISA to create instructional materials for rural hospitals to train staff on fundamental cybersecurity measures, and for the Department of Homeland Security to report annually to congressional committees on updates to the strategy and any programs that have been implemented.

“Ransomware attacks against hospitals and health care systems that compromise sensitive medical information and disrupt patient care must be stopped. Unfortunately, small and rural hospitals often lack the resources to invest in cybersecurity defenses and staff to prevent these breaches,” said Senator Peters. “This bipartisan legislation will require the federal government to ensure our most vulnerable health care providers have the necessary tools to protect patient information and provide lifesaving care even as criminal hackers continue to target their networks.”