Hospitals balk at Biden cybersecurity upgrade
Add Axios as your preferred source to
see more of our stories on Google.
Illustration: Sarah Grillo/Axios
A sweeping update of federal security standards to better protect patient data against cyberattacks is drawing pushback from health systems, who say it's unworkable and too expensive.
Why it matters: With the effects of the massive Change Healthcare attack still resonating and increasingly sophisticated attacks hitting hospitals, there's concern about a one-size-fits-all approach and how smaller and financially strapped facilities can adapt.
- Experts say the move to update standards in the last days of the Biden administration didn't adequately consider real-world consequences for an industry grappling with tight margins and a web of aging infrastructure.
The big picture: The new requirements mark the first major overhaul of the Health Insurance Portability and Accountability Act's Security Rule in more than a decade and attempt to address the advent of AI, quantum computing and virtual reality.
- The changes lay out how HIPAA-covered entities must encrypt data and follow best practices for multifactor authentication and regular security audits. It also calls for written procedures to restore critical information systems and data within 72 hours of an attack.
- Health and Human Services notably wants to take away provider discretion to decide which safeguards are addressable.
- The department estimates first-year costs of complying with the changes would total about $9 billion, and that for years two through five, estimated annual costs would be about $6 billion.
What they're saying: "The cost of not acting is not only high, it also endangers critical infrastructure and patient safety, and it carries other harmful consequences," Anne Neuberger, deputy national security adviser for cyber and emerging technology, said last month.
- HHS' Office of Civil Rights says reports of large security breaches increased by 102% from 2018-2023 and that hacking and ransomware attacks affected more than 167 million individuals in 2023 alone.
Between the lines: Many of the requirements amount to a long-overdue move in the right direction, health system officials said. "It's all stuff we'd like to do if, as they say, money grew on trees," Nate Lesser, chief information security officer at Children's National Hospital, told Axios.
- He said it makes practical sense to push for better practices such as multifactor authentication across systems. The Change Healthcare attack was blamed, in part, on the lack of such a control.
- But the update reflects the expectation that multifactor authentication be applied to anything that touches patient health information, Lesser said.
- That means if a single researcher downloads patient information and doesn't protect it properly, a hospital could be subject to a fine. "It expects a level of perfection that is unrealistic, and that increases our liability," Lesser said.
Zoom in: In both conversations with Axios and comments to HHS, experts noted that multifactor authentication — requiring the use of another device to enter a password or scan a person's face — might make sense in certain clinical environments and for remote activities.
- But repeated credential verification may not work in a trauma center, where seconds can mean the difference between life and death, or in a lab where personnel are clad head-to-toe in protective gear.
Hospitals and providers say they simply don't have the resources to hire experts or have the bandwidth to meet testing requirements or annual assessments of their systems that the rule requires.
- Vendors also would have to comply with the higher standards — raising the liability hospitals face if a single vendor falls out of compliance.
- Chelsea Arnone, director of federal affairs for CHIME, a group that represents hospital IT experts, pointed to one of its members' recent experiences consulting for a critical access hospital that had its emergency room door fixed with duct tape after being shattered by a rock.
- "How the heck do you think that hospital is going to stay open as an access point of care? They can't even fix their front door," Arnone said about the cost burden of the rule.
The other side: HHS didn't respond to a request for comment about the concerns with the proposed changes.
- HHS Deputy Secretary Andrea Palm has cited how the increasing frequency and sophistication of cyberattacks in the health care sector pose a significant threat to patient safety and how the changes will help ensure providers are not only better prepared but resilient.
- With the proposed rule, the Biden administration announced financial and technical assistance being offered by Microsoft and Google for critical access hospitals and eligible rural hospitals and nonprofits.
What to watch: Many organizations are taking a wait-and-see approach about whether the Trump administration will enforce the rule.
- "How is the new administration going to look at this? That's just the big question on everyone's mind," said Morgan Lewis associate Michael Madderra.
