Why enhanced cybersecurity funding must be addressed in 2024
If government agencies respond to the urgent need, they can use the model of the meaningful use incentives to jump-start a cybersecurity moonshot.
Most executives in the industry understand that cybersecurity in healthcare is no longer just a battle to protect patients’ personal information, safeguard corporate reputations or guard against lawsuits.
This November, patients were diverted to different emergency departments in Oklahoma, New Mexico and Texas after a cyberattack. The same thing also happened at five hospitals in Ontario just days after a similar attack in Kingston, N.Y. It only gets worse from there, as the University of Minnesota School of Public Health estimated that between 42 and 67 patients have already been killed as a downstream effect of ransomware attacks between 2016 and 2021.
It’s a problem that continues to snowball. The problem has not gone unnoticed by the U.S. government.
- • The Protecting and Transforming Cyber Health Care Act of 2022 (PATCH Act) was signed into law on Dec. 29, 2022, as a part of the 2023 Consolidated Appropriations Act. Language included in the law is intended to strengthen the security of connected medical devices by compelling medical device manufacturers to demonstrate that their products meet certain minimum security requirements before being approved for use. As of March 29, 2023, a premarket application or submission of cyber devices must contain all information required by the FDA.
- • The Food and Drug Administration’s cybersecurity spending bill was approved (Section 524B) in last year’s Omnibus, Ensuring Cybersecurity of Devices. On Oct. 1, 2023, the FDA began blocking approval of new medical devices if they aren’t secure and fail to address the requirements of section 524B.
If the problem isn’t awareness of the issue or ignorance to the stakes of the situation, then why haven’t we seen a groundswell of activity by hospitals and healthcare organizations to invest in better cybersecurity protections? Why does it seem like there just simply isn’t enough action being taken to address this issue?
In 2024, this situation will reach a critical mass. The federal government will finally recognize that regulations and requirements aren’t enough to force change. There needs to be penalties for non-compliance, and most importantly, funding should be put in place to drive that change forward.
Competing needs
Many hospitals today are struggling just to keep their lights on. Money is tight, and it's simply unrealistic to expect IT teams to make the significant investments needed to ensure that adequate cybersecurity defenses are in place.
Even though it’s the right thing to do. It's tough to spend money to thwart potential or theoretical “what if” risks when so many immediate issues exist. When you have to choose between spending on maintaining medical equipment or improving technology used every day to provide care vs. spending on cybersecurity – well, cybersecurity will lose every time.
The other side of this equation is the cost of a cyberattack and the devastating impact one can have financially on a hospital looking to remediate the situation. As we all know, many hospitals are already at risk of insolvency. What happens when they are looking at a $10.93 million bill, the cost of the average hospital data breach, according to the latest research by IBM?
Federal funding
The combination of raised awareness of the impact cybersecurity breaches are having on the ability to deliver patient care and the problems hospitals and other healthcare organizations are having in finding the money to pay for the updates is why 2024 will finally see the government take action and financially incentivize healthcare providers to take action.
And it’s not like there isn’t already an easy blueprint for the government to use to make this happen. About a decade ago, the federal government gave hospitals and healthcare organizations funding to install electronic healthcare records systems and the related technologies. To qualify, the organizations needed to prove meaningful use of the funds toward achieving that goal. This same approach can be updated and applied to the cybersecurity problem.
At stake are not just individual patients’ lives, but also the ability for many communities to be able to provide healthcare. That’s why 2024 will finally be the year we’ll see meaningful actions made toward providing the funding (and structure) necessary to make healthcare secure.
Wes Wright is chief healthcare officer for Ordr. He has served in several CIO and CTO roles at provider and technology organizations.