By Phil Englert
Rural hospitals face unique challenges, including financial constraints and staffing shortages. Between 2010 and 2021, 136 rural hospitals closed, with a Crisis in Rural Healthcare report stating 600 more of the remaining 1,796 are at risk of closing. Many rural residents are older, lower-income and in worse health than urban populations. A significant portion of those served are under or uninsured. They experience higher rates of substance use and chronic health issues such as high blood pressure and obesity. Staffing remains a significant challenge, with 21% of the population living in rural areas being served by only 10% of physicians.
HealthIT Security.com reports that “Cyberattacks are pivoting to target smaller health care companies and specialty clinics without the resources to protect themselves, instead of larger health systems that – despite being treasure troves of personal and medical data – generally have more sophisticated security.” Most smaller hospitals are connected to larger systems becoming the “path of least resistance” into those larger health care networks increasing risk on a national level.
Cyberattacks on the health care system pose significant risks to patient care and safety. From 2018 to 2022, significant data breaches reported to the Department of Health and Human Services (HHS) increased by 95%, including numerous ransomware attacks. In alignment with the National Cybersecurity Strategy, the budget invests in protecting the nation’s health care system from cyber threats. It includes $800 million to help high-need, low-resourced hospitals cover the upfront costs of implementing essential cybersecurity practices and $500 million for an incentive program encouraging all hospitals to invest in advanced cybersecurity measures.
Congressional funding and coordinated government efforts are essential for enhancing rural health care cybersecurity. Subsidies and enhanced payments from the Centers for Medicare & Medicaid Services (CMS) are crucial. Government-funded cyber response teams, staffed by larger health care organizations, could provide vital support to rural hospitals. These teams, possibly coordinated under agencies like the Administration for Strategic Preparedness and Response (ASPR), the Health Sector Coordinating Council (HSCC), and the Health Information Sharing and Analysis Center (Health-ISAC), would be instrumental in responding to and recovering from cyberattacks.
The publication of Health Industry Cybersecurity Practices (HICP) is a crucial resource for rural health care entities. This multi-volume publication offers consensus-based cybersecurity guidelines. It includes a technical volume specifically designed for small health care organizations, providing implementation guidance for essential security tools such as vulnerability management and email protection systems. These guidelines outline basic steps all small organizations should adopt to enhance their cybersecurity posture.
Recent legislative efforts underscore the critical need for improved cybersecurity in rural health care settings. Senators Josh Hawley (R-MO) and Gary Peters (D-MI) have introduced the Rural Hospital Cybersecurity Enhancement Act. This legislation mandates that the Cybersecurity and Infrastructure Security Agency (CISA) director devise a comprehensive workforce development strategy for rural hospital cybersecurity. Moreover, the act requires the creation of instructional materials for rural hospitals to train staff on essential cybersecurity measures. The legislation includes support for new curricula, public-private partnerships and policy recommendations. Though still in the introduction phase, this act has brought significant attention to rural health care cybersecurity issues.
Senator Mark Warner (D-VA) has introduced the Health Care Cybersecurity Improvement Act of 2024, which proposes advance and accelerated payments to providers in the event of a cybersecurity incident, provided they meet minimum cybersecurity standards. This legislation recognizes that smaller health care organizations and specialty clinics, often targeted by cybercriminals, need substantial support to protect themselves and the more extensive health care networks they connect to.
In addition to these two proposed legislations, the White House has issued the National Cybersecurity Strategy and Implementation Plan and the National Cyber Workforce and Education Strategy. Both initiatives highlight the administration’s focus on cybersecurity across various sectors, including health care. These strategies advocate a whole-of-nation approach to addressing ongoing cyber threats, emphasizing collaboration between government and private entities.
On March 11, President Biden submitted his fiscal year 2025 budget request to Congress. The president’s budget proposes substantial financial incentives to assist hospitals in defending against cyberattacks, with $1.3 billion allocated for this purpose. Initially, funds would target approximately 2,000 hospitals having the greatest need. In subsequent years, smaller amounts would be available to all hospitals that adopt enhanced cybersecurity practices. The budget also introduces penalties for hospitals failing to meet essential cybersecurity standards, with enforcement starting in FY 2029. Penalties could reach up to 100% of the annual market basket increase, with additional reductions of up to 1% from the base payment for non-compliant hospitals.
The budget allocates $13 billion across civilian departments and agencies to bolster federal cybersecurity, including an additional $103 million for CISA, totaling $3 billion to enhance cyberspace resilience and defense. Critical investments include $470 million for deploying federal network tools, $394 million for CISA’s internal cybersecurity capabilities, $41 million for critical infrastructure security coordination, and $116 million for critical infrastructure cyber event reporting.
The Advanced Research Projects Agency for Health (ARPA-H) recently launched the Universal PatchinG and Remediation for Autonomous DEfense (UPGRADE) program to bolster health care cybersecurity. This initiative, funded with over $50 million, focuses on developing advanced tools to enhance and automate cybersecurity measures in health care facilities.
Grant proposals will involve implementing real-time monitoring and automated responses to detect and address threats in hospital IT systems. This includes simulating real-world conditions using high-fidelity digital hospital equipment models and effectively testing patches before deployment. Successful proposals will utilize advanced algorithms and machine learning to identify potential threats and vulnerabilities in hospital IT systems. Once vulnerabilities are detected, the program, UPGRADE, will automatically generate, test, and deploy patches with minimal disruption to hospital operations. The program’s success relies on the collaboration between IT staff, medical device manufacturers, health care providers, human factors engineers, and cybersecurity experts. The developed solutions will be adaptable to various health care environments, from small clinics to large hospital networks.
The UPGRADE program will enhance health care facilities’ cybersecurity posture by streamlining the process of identifying and addressing vulnerabilities. It aims to reduce the time from detecting a vulnerability to deploying a safe, automated patch in days. This initiative is part of a broader effort by the Department of Health and Human Services (HHS) to improve cyber resilience across the health care system, addressing the sector’s ongoing and evolving cyber threats.
These combined efforts highlight a significant federal commitment to improving cybersecurity in rural health care settings. By addressing workforce development, providing financial incentives, enhancing federal coordination, and leveraging existing resources, these initiatives aim to fortify the nation’s rural health care infrastructure against growing cyber threats.
