The American Hospital Association (AHA) contests the U.S. Department of Health and Human Services (HHS) proposal, opposing hospital culpability for cyberattacks. AHA President Rick Pollack voices concerns, emphasizing hospitals’ existing cybersecurity investments and the necessity for federal collaboration. The HHS strategy entails imposing mandatory cybersecurity standards on hospitals, drawing AHA’s strong opposition due to its potential adverse impact on hospitals.
The American Hospital Association (AHA) finds itself at odds with the U.S. Department of Health and Human Services (HHS) over a contentious proposal to hold hospitals accountable for cyberattacks. Rick Pollack, the president and CEO of the AHA, staunchly opposes the HHS’s cybersecurity strategy, believing it unfairly places blame on hospitals for cybercriminals’ success. This friction raises significant concerns about the ramifications on hospitals in the aftermath of cyber incidents.
HHS recently unveiled a comprehensive healthcare sector cybersecurity strategy that includes mandatory cybersecurity requirements for hospitals. Additionally, it outlines voluntary performance objectives specifically tailored to healthcare cybersecurity. In a bid to bolster cybersecurity in the healthcare domain, HHS plans to collaborate with Congress to secure funding and incentives for hospitals, leveraging Medicare and Medicaid. The agency also aims to introduce new cybersecurity prerequisites for hospitals under Medicare and Medicaid by the spring of 2024. To enforce compliance, HHS intends to impose financial penalties on hospitals that fail to meet these standards.
The AHA vehemently disagrees with this approach put forth by HHS. Pollack emphasizes that while federal expertise and financial support are appreciated in safeguarding patients from cyber threats, hospitals have already made substantial investments in cybersecurity measures. He highlights ongoing collaborations between the AHA, FBI, HHS, Cybersecurity and Infrastructure Security Agency, and other stakeholders aimed at proactively preventing cyber threats. However, Pollack underscores that effectively countering sophisticated hackers, often affiliated with hostile nation-states, necessitates a concerted effort and consolidated authority of the federal government.
Attributing recent cyberattacks in the healthcare sector to vulnerabilities in third-party technology and vendors, the AHA stands against mandatory cybersecurity requirements solely levied on hospitals. Despite efforts to fortify defenses against evolving threats, as showcased by the October release of the Cybersecurity Toolkit for Healthcare and Public Health by HHS and the Cybersecurity and Infrastructure Security Agency (CISA), managing third-party risks remains a challenge for resource-strapped healthcare organizations. Startling statistics revealed by the Health 3rd Party Trust Initiative indicate that 55% of healthcare entities experienced third-party breaches in the past year.
Acknowledging the gravity of cyber threats, HHS Deputy Secretary Andrea Palm underlines initiatives aimed at fortifying security measures. Pollack reiterates the severity of cyber threats while cautioning against punitive measures such as fines or reduced Medicare payments for hospitals. Such penalties could significantly deplete essential hospital resources vital for combatting cybercrime.
In essence, the AHA acknowledges the necessity for heightened cybersecurity measures in the healthcare sector. However, it vehemently opposes penalizing hospitals for cyber incidents, advocating for a collaborative approach involving federal entities. This approach prioritizes collective efforts to combat the ever-evolving cyber threats while safeguarding crucial hospital resources necessary for patient care and safety.
