The American Hospital Association (AHA) is urging the U.S. Department of Health and Human Services (HHS) to reconsider its plan to make it mandatory for hospitals to comply with new cybersecurity requirements and issue financial penalties if they fail to do so.
Last week, the HHS published its healthcare cybersecurity strategy, which outlines the steps the HHS has taken and plans to take in the future to improve healthcare cybersecurity. Those plans include introducing two tiers of Healthcare and Public Health Sector-specific Cybersecurity Performance Goals (HPH CPGs) – essential and enhanced. The essential HPH CPGs will include high-impact cybersecurity requirements for improving cyber resiliency and are intended to establish a baseline for cybersecurity, whereas the enhanced HPH CPGs are desirable cybersecurity requirements to further improve security and protect patient privacy. While both tiers of HPH CPGs would be voluntary initially, the HHS explained in its cybersecurity strategy that it plans to make the essential HPH CPGs enforceable in the future and will be working with Congress to increase the penalties for HIPAA violations.
The AHA believes that forcing hospitals to make investments in cybersecurity and imposing financial penalties if they suffer a cyberattack and haven’t implemented certain cybersecurity measures would be counterproductive and undermine the efforts hospitals are already making to improve cybersecurity. “Hospitals and health systems have invested billions of dollars and taken many steps to protect patients and defend their networks from cyberattacks,” said AHA President and CEO Rick Pollack. “The AHA has long been committed to helping hospitals and health systems with these efforts, working closely with our federal partners, including the FBI, HHS, Cybersecurity and Infrastructure Security Agency, and many others to prevent and mitigate cyberattacks.”
While the AHA expressed support for the HHS proposal to issue incentives for improving cybersecurity and make funding available to help hospitals with low resources cover the initial cost of cybersecurity improvements, punishing hospitals financially is unfair, especially when cyberattacks are commonly conducted by sophisticated cyber actors who work in collusion with hostile nation-states.
“The AHA cannot support proposals for mandatory cybersecurity requirements being levied on hospitals as if they were at fault for the success of hackers in perpetrating a crime. Many recent cyberattacks against hospitals have originated from third-party technology and other vendors. No organization, including federal agencies, is or can be immune from cyberattacks. Imposing fines or cutting Medicare payments would diminish hospital resources needed to combat cybercrime and would be counterproductive to our shared goal of preventing cyberattacks.”
The post AHA Opposes HHS Plan to Penalize Hospitals for Cybersecurity Failures appeared first on HIPAA Journal.