Feds Propose New Security Regs for Hospitals to Get Medicare/Medicaid $

Health and Human Services (HHS) says it is planning to take a range of actions to reduce cyberattacks on hospitals which have gone a bit crazy in the last few years.

They released the proposal yesterday.

The plan is to tie the new cybersecurity requirements through the Medicare and Medicaid programs, tying payments to baseline standards.

The feds say that voluntary standards have not worked. That is an understatement to be kind.

HHS wants hospitals to meet specific cybersecurity performance goals over the next few years.

HHS is also proposing updates to the HIPAA Security Rule next year. Those updates are long overdue.

They also say that they are planning to work with Congress to increase monetary penalties for HIPAA violations. Kind of a carrot and a stick deal.

This plan comes as hospitals face relentless attacks that have caused weeks long outages and have forced ambulances to be diverted and appointments to be cancelled.

Researchers estimate that around 50 Medicare patients died between 2016 and 2016 as a results of the ransomware outages. The reality is that the number is much higher, but directly tying the deaths to a ransomware attack is hard. In addition, hospitals claim that ransomware has no effect on patient care. If that is true, why do they spend all that money on computers?

Through the Office for Civil Rights (OCR), HHS tracks large data breaches and has found a 93% increase in large breaches reported from 2018 to 2022 (369 to 712), with a 278% increase in large breaches reported to OCR involving ransomware from 2018 to 2022.

While this won’t have much of an effect in the short term, it may cause hospitals to spend more money to protect themselves. Hopefully. Credit: The Record

by