A new report out this week from CSC 2.0 – the successor to the Cyberspace Solarium Commission – calls on Congress and the White House to take swift action to better protect the healthcare sector from cyberattacks.
The 20-page report, titled “Healthcare Cybersecurity Needs a Check Up,” explains that the frequency of cyberattacks against the healthcare and public health sector “has increased rapidly since the onset of the COVID-19 pandemic.”
It notes that ransomware “has become the biggest threat” to the sector, citing the February 2024 Change Healthcare ransomware attack and the May 2021 Scripps Health ransomware attack as major incidents. According to the report, ransomware attacks have the ability to block access to equipment, electronic patient records, and databases – creating a higher incidence of patient mortality.
“The safe and efficient provision of health services is a matter of both personal safety and national security. This is why the Federal government designated the healthcare and public health sector as a critical infrastructure sector,” the report says. “The U.S. government must collaborate with stakeholders in this sector to increase providers’ resiliency against cyberattacks.”
CSC 2.0 makes it clear that the solution to current cybersecurity gaps in the healthcare sector “is not reactive regulation that seeks cybersecurity through compliance.” Instead, it encourages a collaborative approach that prioritizes the security of systems most directly connected to patient care.
The report offers 13 recommendations directed at the executive branch, Congress, and the healthcare sector.
For the executive branch, the report recommends it develop new, long-term sector-specific cybersecurity objectives; work with industry to identify, prioritize, and secure life-saving services; iteratively update the Department of Health and Human Services’ cybersecurity performance goals (CPGs); accelerate the CPG compliance incentivization program’s timeline; and reassess the list of “systemically important entities.”
The report explains that rural hospitals typically cannot afford skilled cybersecurity teams, leaving them more vulnerable to cyberattacks. Therefore, CSC 2.0 also recommends that the White House create a rural hospital cybersecurity workforce development strategy.
“This effort should explore ideas such as sharing IT teams across a region and migrating data to secure cloud storage providers,” the report says. “Congress should fund HHS to conduct relevant pilot programs. Different solutions should be tested for rural hospitals experiencing significant financial constraints, and an assessment of these solutions should determine how deeply HHS should become directly involved in helping rural hospitals build cybersecurity capacity.”
As for Congress, the report offers four recommendations: ensure sector risk management agency (SRMA) resources and organizational structure are optimally efficient, increase funding for HHS’s SRMA capabilities, fund HHS’s CPG resourcing and incentive program, and direct and resource HHS to establish a “Rural vCISO Pilot Program.”
This pilot program would provide “part-time CISOs, called ‘fractional CISOs’ or ‘virtual CISOs’ (vCISOs), to help the most vulnerable and underfunded rural hospitals,” the report says.
Finally, the report calls on industry to spend more on cybersecurity, provide cyber hygiene training to all employees, and develop regional contingency plans for healthcare providers.