After Barrage of Hacks, Hospitals Will Face New Federal Cybersecurity Rules Tied to Funding  | #hacking | #cybersecurity | #infosec | #comptia | #pentest | #ransomware

The Biden administration plans to unveil new cybersecurity requirements for hospitals in the coming weeks as government officials scramble to stem a disturbing tide of hacks that have crippled health-care providers, delayed procedures and raised concerns about patient safety.

The Centers for Medicare & Medicaid Services, an arm of the Department of Health and Human Services, will propose rules within the next month or so that would require hospitals to establish basic digital security defenses in order to receive federal funding, according to a senior administration official.

The government is “homing in on those key cybersecurity practices that we really do believe bring a meaningful impact,” said the official, who requested anonymity to preview an upcoming policy. The official said the government expects the new requirements to take effect “before the end of the year.”

Hospitals have been a top target of cyber criminals for years because of their heavy dependence on technology for both routine administrative tasks and complicated medical procedures. Last November, for instance, a cyberattack on Tennessee-based firm Ardent Health Services forced hospitals in several states to divert ambulances to other emergency rooms and reschedule non-emergency procedures. And, in August, an attack on a California-based hospital chain similarly forced the cancellation of surgeries and the closure of urgent-care centers.

As cyberattacks have pushed hospitals across the country to the breaking point, the Biden administration has been weighing its options for enforcing better security in the industry. Now, under a plan that Health and Human Services finalized late last year, the administration is about to act.

The new cyber rules will join a vast collection of requirements governing how hospitals must operate — from building design to patient interactions — if they want the federal government’s Medicare and Medicaid programs to reimburse their expenses.

The requirements will include using multi-factor authentication, which adds an extra login step after the traditional password, and operating a program to fix software vulnerabilities within a set amount of time after they are discovered. The senior administration official said basic security practices like these “really do shut the door to most of our cyber incidents.” 

After decades in which the government mostly avoided telling critical industries how to protect themselves from hackers, the Biden administration has mounted an ambitious effort to enact new cybersecurity requirements using agencies’ existing authorities. Following the May 2021 Colonial Pipeline ransomware attack, which snarled fuel supplies up and down the East Coast, the Transportation Security Administration issued cyber rules for pipeline operators. The TSA subsequently made those rules more flexible after criticism from the industry, and that process paved the way for similar requirements for the aviation and rail industries.

Health and Human Services is following in the TSA’s footsteps with its hospital cybersecurity rules, the senior administration official said. Some of the requirements, like using multi-factor authentication, will be clearly defined and prescriptive, while others, like the obligation to maintain a vulnerability-fixing process, will leave the details (such as the required timeframe for patching software flaws) up to individual hospitals.

The administration expects to haggle over the details of certain requirements during the public comment period after the rule is released. “It’s easier to have negotiations if we start with [something] more prescriptive and then dial back, as we did with TSA,” the official said.

It remains to be seen how the powerful hospital industry will respond to the new rules. But it appears likely that the Biden administration will have a fight on its hands. After Health and Human Services first indicated last December that regulations were coming, the American Hospital Association blasted the government’s plan to impose requirements that were tied to federal funding.

The AHA declined to comment on the new details of the rules. Health and Human Services did not respond to a request for comment about whether it expected a legal challenge to the forthcoming rules.

If the hospital industry chooses to fight the Biden administration’s plan, there is a precedent for success. Last October, the Environmental Protection Agency withdrew cybersecurity rules for water facilities after the water industry partnered with Republican state attorneys general to sue the agency over the requirements.


Click Here For The Original Source.

National Cyber Security