Lawmakers are increasingly focused on fortifying cybersecurity in rural healthcare due to resource-strained hospitals facing complex security challenges. While national efforts progress, immediate action is vital for rural healthcare entities. Experts stress the distinctive cybersecurity hurdles faced by such facilities, compounded by budget constraints. Enhanced awareness prompts legislative measures like the Rural Hospital Cybersecurity Enhancement Act, aimed at aiding rural healthcare cybersecurity. Rural hospitals are urged to access available resources, initiate contact with relevant agencies, and take proactive steps to mitigate immediate cyber risks.
Lawmakers are turning their attention towards bolstering cybersecurity measures in rural healthcare settings as financially strained hospitals grapple with intricate security challenges.
Cybersecurity in the healthcare sector poses a formidable challenge for providers, network defenders, and regulators across the United States. This is evident from the surge in reported data breach incidents to the Department of Health and Human Services (HHS) in the current year alone. However, safeguarding patients and healthcare institutions from the destructive impacts of cyber incidents is an even greater hurdle in rural locales. These rural hospitals typically have limited resources, and smaller capacities, and are often situated far apart.
Fortunately, the increased national focus on cybersecurity has drawn the concern of lawmakers to the cybersecurity predicament faced by rural healthcare providers. In March, prominent figures in the healthcare industry testified before the Senate Homeland and Governmental Affairs Committee, shedding light on these challenges. This attention culminated in May with the introduction of the Rural Hospital Cybersecurity Enhancement Act.
Despite the advancements in healthcare cybersecurity, there remains a necessity to cultivate awareness about the unique cybersecurity challenges confronting rural healthcare facilities and to guide them in mitigating risks effectively.
Distinctive Cyber Challenges Encountered by Rural Healthcare Facilities
“The repercussions of a cyberattack on rural communities cannot be overstated,” asserted Kate Pierce, Senior Virtual Information Security Officer at Fortified Health Security, during the March hearing before lawmakers.
“In urban areas, while attacks are disruptive, patients still have alternative healthcare options to turn to. In contrast, rural areas might require a journey of 45 miles or more to reach the next available medical facility, making patient diversion impractical.”
As previously highlighted, rural hospitals grapple with an array of unique cybersecurity difficulties, further complicated by hospital shutdowns and consolidations. A 2021 report from the Government Accountability Office (GAO) unveiled that the median distance to a hospital increased by around 20 miles in regions where rural hospitals had shut down.
In a recent conversation with HealthITSecurity, Pierce reemphasized the profound impact a cyberattack could inflict upon a rural healthcare establishment and its patients.
“These smaller facilities strive to continue operations, but the resulting delays in patient care can be significant. Given our reliance on medical records for informed treatment, the unavailability of these records during patient consultations hampers decision-making,” Pierce explained.
“They find themselves in a tight spot, unable to divert patients yet struggling to provide ongoing care.”
Furthermore, financial limitations burden rural hospitals, forcing them to prioritize other urgent needs over cybersecurity. Pierce, who spent over two decades at a rural hospital in Vermont, firsthand experienced the challenge of allocating resources to cybersecurity amidst seemingly more pressing concerns.
“Emerging from the challenges posed by COVID-19, these facilities are grappling with tight budgets, making it difficult to allocate funds to cybersecurity when faced with demands like nursing staff,” Pierce noted.
“As cybersecurity isn’t currently mandated, it becomes a tough call to allocate resources in that domain.”
Moreover, cyberattacks might severely impair a hospital’s long-term operations. A recent instance involved a rural hospital in Illinois that announced its permanent closure due in part to financial repercussions from a 2021 cyberattack. The attack on the St. Margaret’s Health facilities in Spring Valley and Peru, Illinois disrupted electronic health record systems and prevented claims submission to insurers for several months.
The shutdown of this hospital further underscores the urgency of addressing cybersecurity risks in healthcare, especially for rural facilities.
Enhanced Awareness Fuels Legislative Action
During the Senate Homeland and Governmental Affairs Committee hearing, representatives from diverse healthcare organizations highlighted the ongoing cybersecurity challenges and suggested ways the federal government could aid in enhancing the sector’s security posture.
Most speakers stressed the impact of cyberattacks on rural communities. Experts advocated for additional funding and cybersecurity policies tailored to rural healthcare entities. This includes the potential for incentive-based or grant-supported assistance for critical access and rural providers.
Pierce remarked, “The assembled committee was diverse, and I’m pleased to note that rural hospitals had a seat at the table, giving us a voice. It’s heartening to see bipartisan support for this issue in Congress.”
In addition to addressing rural healthcare cybersecurity, these healthcare leaders encouraged lawmakers to enhance communication and collaboration between industry and government stakeholders and to establish mandatory security standards for all healthcare entities.
Shortly after the hearing, the Health Sector Coordinating Council (HSCC) Cybersecurity Working Group (CWG), of which Pierce is a member, commenced work on a “Hospital Cyber Resiliency Initiative Landscape Analysis.”
This analysis provided the Department of Health and Human Services (HHS) with vital insights into the current state of hospital cyber resiliency, drawing on metrics from threat intelligence reports, open-source intelligence, and interviews with hospitals spanning diverse geographical and demographic backgrounds.
Throughout the report, there were references to the intensification of cybersecurity challenges in rural communities with constrained communication bandwidth, outdated technology, and difficulty in securing cyber expertise.
In the wake of the report and the growing momentum for healthcare cybersecurity, Senators Josh Hawley (R-MO) and Gary Peters (D-MI) introduced the Rural Hospital Cybersecurity Enhancement Act. The legislation aims to tackle the cybersecurity hurdles faced by rural healthcare providers. It mandates the Cybersecurity and Infrastructure Security Agency (CISA) director to devise a comprehensive strategy for developing a cybersecurity workforce in rural hospitals.
Furthermore, the act requires the CISA director to generate educational materials to aid rural hospitals in training staff on essential cybersecurity practices. It also supports the creation of new curricula, public-private partnerships, and policy recommendations. While the act is still in its introductory phase, it has drawn much-needed attention to the issue of rural healthcare cybersecurity.
In recent months, the White House has unveiled its National Cybersecurity Strategy and Implementation Plan, along with a National Cyber Workforce and Education Strategy. Both initiatives underscore the administration’s prioritization of cybersecurity.
“There is a significant surge of momentum at this juncture, as they are genuinely recognizing the gravity of cyberattacks on our nation,” Pierce noted. “This is an opportune moment to mobilize and help them gain a deeper understanding of the challenges unique to healthcare and how they differ from other sectors.”
Immediate Steps for Rural Healthcare Facilities
Even as these national cybersecurity plans and strategies take shape, healthcare institutions across the nation remain vulnerable to cyberattacks. Therefore, rural healthcare entities must take proactive steps to minimize risks.
“There is an array of resources available,” Pierce recommended, directing rural entities to the recently updated Health Industry Cybersecurity Practices (HICP) publication. This comprehensive publication offers consensus-based cybersecurity guidelines.
The HICP encompasses a technical volume specifically tailored to small healthcare organizations. It furnishes guidance on implementing vital security tools, such as vulnerability management and email protection systems.
“These documents are highly robust, and if you examine the one designed for small organizations, it outlines fundamental measures that everyone should adopt. I urge them to delve into that,” Pierce advised.
Other valuable free resources for healthcare cybersecurity include the National Institute of Standards and Technology (NIST) Cybersecurity Framework (CSF) and the Health Sector Coordinating Council’s (HSCC) Joint Security Plan (JSP).
Additionally, Pierce encouraged reaching out to local government representatives, who can facilitate access to crucial resources.
“Identify your local representatives from CISA and the FBI. Initiate contact with them, and invite them to visit your hospital. They are more than willing to assist, and they have resources that can be availed with a minor investment of time, proving immensely valuable,” Pierce recommended.
“It’s advisable not to wait until you face an incident and require assistance. Establishing prior communication ensures that they are familiar with you and your efforts to mitigate risks.”
With additional support forthcoming for rural healthcare entities, they must continue to work with existing resources to address immediate risks.
