Following the cyberattack on Change Healthcare that affected millions of patients, caused prescription backlogs, and disrupted care delivery, the health care sector remains acutely vulnerable to cyber threats. On May 8th, Ascension Healthcare, the second-largest nonprofit health system in the U.S., was the victim of another cybersecurity incident that resulted in widespread IT disruptions, disrupted claims processing, and the cancellation of appointments. The Biden Administration is currently looking to strengthen cyber security protections. Recent actions include unveiling new requirements for hospitals and announcing that it will offer free cybersecurity training to 1,400 small, rural hospitals across the country.

The Biden Administration is taking preliminary steps to combat cyberattacks on the health care industry by requiring hospitals to meet minimum cybersecurity standards as part of their standard operational practices. The proposed rule would apply to organizations that receive Medicare or Medicaid funding. The rule would require certain hospitals to report cybersecurity incidents within 72 hours after the entity believes a covered incident has occurred, and 24 hours after making a ransomware payment. In the report, entities would need to include information such as the identity of the perpetrator, a description of the incident, and the entity’s response. Failure to report could result in civil monetary penalties.

Key stakeholders caution that these requirements must be made thoughtfully, being mindful of the burden increased regulations can unintentionally create. The American Hospital Association has historically voiced opposition to the implementation of such mandates, particularly when they include civil monetary penalties, arguing that fines or reductions in Medicare payments would deplete hospitals’ resources, thereby undermining their ability to defend against cyber-attacks.

The health care sector faces escalating threats from cyberattacks, with devastating consequences for patients and providers. According to a report by the Department of Health and Human Services (HHS), there was a 93% increase in large breaches reported from 2018 to 2022 (369 to 712), with a 278% increase in large breaches reported to the Office of Civil Rights (OCR) involving ransomware from 2018 to 2022. These attacks target a sector already burdened with the responsibility of safeguarding sensitive patient data and maintaining critical medical infrastructure. Recent incidents serve as a reminder of the persistent risks faced by health care organizations, highlighting the need for enhanced cybersecurity measures and heightened vigilance.

AHPA extends our gratitude to Kevin Lopez, guest author of this article.
Kevin is a graduate student in the Master of Healthcare Administration program at Loma Linda University.