Skip links

US government tells hospitals: Meet security standards or no federal dollars for you

US hospitals will be required to meet basic cybersecurity standards before receiving federal funding, according to rules the White House is expected to propose in the next few weeks.

This comes as hospitals and health clinics nationwide continue to be menaced by ransomware, and cybercrims resort to diabolical tactics to make victims pay up.

The Centers for Medicare and Medicaid Services (CMS), an arm of the US Department of Health and Human Services, is reportedly drawing up rules connecting hospital IT security with funding, which are set to take effect before the end of the year. 

Citing an unnamed government official, this Messenger report says the proposed rules will focus on “those key cybersecurity practices that we really do believe bring a meaningful impact.” And federal funding will hinge on hospitals enacting these basic network defenses.

When asked about the draft rules, a CMS spokesperson directed The Register to a concept paper published in December that outlines the Department of Health and Human Services’ (HHS) cybersecurity strategy.

According to the HHS paper [PDF], officials will propose new, enforceable security standards, and will work with Congress to administer financial support and incentives for hospitals to implement “high-impact cybersecurity practices,” among other actions.

“One of the key action areas is increasing accountability and coordination within the health care sector,” the spokesperson told The Register. “CMS values feedback from stakeholders and continues to consider how to improve cybersecurity most effectively across the health care sector. CMS does not comment on the substance of policies before they are proposed.”

Last year alone, at least 46 US hospital corporations with a total of 141 facilities between them were hit by ransomware infections, and at least 32 of these networks had protected health information and other patient data stolen during the intrusions, according to Emsisoft.

For comparison: There were 25 of these affected hospital systems in 2022, the infosec biz says.

In addition to stealing hospitals’ data, criminals are also using increasingly nasty extortion tactics to put pressure on health care execs to pay ransoms. This includes emailing patients directly and threatening to sell their health records, leaking breast cancer patients’ nudes, and even threatening to swat hospital patients. 

And while no one is going to argue against improving hospitals’ security posture, cutting off their funding may not help the situation, according to some. 

“Denying funding to hospitals doesn’t seem like the best way to help them improve their security,” Emsisoft Threat Analyst Brett Callow told The Register. “In fact, it may do the exact opposite.”

The Register‘s journalists debated the issue in this week’s Kettle recording. ®

Source