OPINION:
A new virus — malicious computer code — is threatening Americans’ health. Computer hackers are compromising sensitive health information and disrupting hospitals’ ability to provide patient care. Public health and safety require the federal government to help health care providers better protect themselves in cyberspace.
Cyberattacks on health care providers are not merely a financial burden — although their remediation and recovery are often costly. The biggest concern is that cyberattacks can cause monthslong impacts on a hospital’s ability to provide critical care to patients.
When hospital systems are hacked, they may be unable to provide timely emergency services and medical care. Patient outcomes suffer, and death rates are higher. Nearby hospitals may become overcrowded, causing cascading regional impacts. Hackers are attacking hospitals and technology providers that underpin critical health care and public health sector functions. Earlier this year, when the health care payment processing company Change Healthcare suffered a ransomware attack, 74% of hospitals nationwide reported disruptions to patient care for months.
In the wake of the Change Healthcare attack, Congress is stepping up. Last month, Sens. Jacky Rosen, Nevada Democrat, Todd Young, Indiana Republican, and Angus King, Maine independent, introduced the Healthcare Cybersecurity Act of 2024. On a bipartisan basis, the Senate Homeland Security and Governmental Affairs Committee overwhelmingly approved the legislation at the end of July.
Building on a version of this legislation from two years ago, the new bill would create a liaison position between the government’s cyber agency, the Cybersecurity and Infrastructure Agency, and the Department of Health and Human Services to better facilitate collaboration and the sharing of cyber threat information. It would also require the secretary of health and human services to create and update a list of high-risk assets twice a year so the department can prioritize efforts to bolster the cyber resilience of these assets.
As our colleagues argued earlier this year in a report on cybersecurity issues in the health care and public health sector, Congress needs to improve HHS’ capabilities to fulfill its responsibilities to help hospitals and health care providers understand and mitigate cyber risk. This new legislation aims to do just that.
But the liaison, prioritized assets and sector-specific plans are just the first step. HHS has historically underfunded the public-private collaboration needed in cyberspace. While Congress should approve the modest funding increase proposed in the president’s fiscal 2025 budget request, it should also task the Government Accountability Office with assessing HHS’ organizational structure, resource allocation and collaboration efforts with industry to ensure that the department is spending its funding wisely in support of greater cyber resilience. Congress should also demand answers from HHS about why a new proposed grant program to help hospitals — particularly smaller, rural hospitals — improve their cybersecurity will not begin distributing funds for three to five years.
Better organizing and resourcing HHS will begin to solve cybersecurity problems from the top down. Still, Congress can also help from the bottom up, and two solutions are ready for action.
First, Congress should help address the shortage of skilled cybersecurity professionals within rural health care. Most rural hospitals lack a chief information security officer, a senior executive responsible for establishing and maintaining the vision, strategy, and programs to protect information assets and technologies. Virtual CISOs would provide a cost-effective alternative for smaller, under-resourced hospitals — a CISO who can come in during a cyberattack to help right the ship and restore medical operations. Congress should create a pilot program to test whether this solution can provide rural hospitals with the talent they need in a crisis.
Second, Congress should establish regional programs to help rural hospitals and smaller providers share the resources and expertise needed to transfer their data to secure cloud storage and implement other cybersecurity best practices.
Neither HHS nor hospitals themselves have found a solution to the deadly cyberattacks facing the sector. Now that Congress has the prescription pad, it must make sure the patient — America’s health care and public health sector — gets the cybersecurity medicine it needs.
• Annie Fixler is the director of the Center on Cyber and Technology Innovation at the Foundation for Defense of Democracies, where Vincent Wang is an intern, Mr. Wang is a master’s student in public policy at Carnegie Mellon University.
Please read our comment policy before commenting.