Senators Introduce Rural Hospital Cybersecurity Enhancement Act

May 15, 2023 - United States Senators Josh Hawley (R-MO) and Gary Peters (D-MI) have introduced the Rural Hospital Cybersecurity Enhancement Act, aimed at addressing critical cybersecurity gaps at rural healthcare facilities. As previously reported, rural hospitals face unique challenges when it comes to managing cybersecurity with limited budgets and staff.

Hawley, a member of the Senate Homeland Security and Governmental Affairs Committee (HSGAC), along with Peters, the HSGAC chairman, introduced the legislation following a recent HSGAC hearing in which healthcare cybersecurity experts pointed to rural hospitals as a key focus area for improving cybersecurity.

“The impact on rural communities during a cyberattack is hard to overstate,” Kate Pierce, senior virtual information security officer at Fortified Health Security, testified during the hearing.

“While attacks in urban areas are impactful, populated areas provide other healthcare options for patients to choose. In most rural areas, the next closest healthcare facility may be 45 miles away or more, making the diversion of patients infeasible.”

Pierce cited unprecedented budget constraints, a lack of staffing dedicated to cybersecurity, and challenges with obtaining and relying on cyber insurance policies.

The newly introduced legislation aims to tackle these challenges by requiring the Cybersecurity and Infrastructure Security Agency (CISA) director to develop a “comprehensive rural hospital cybersecurity workforce development strategy.”

This strategy should consider the development of new curricula and training resources, public-private partnerships, and policy recommendations, the act states.

In addition, the act would require the CISA director to create instructional materials to help rural hospitals train staff on key cybersecurity measures. What’s more, the Secretary of Homeland Security would be required to report annually to HSGAC and the House Committee on Homeland Security regarding updates to the strategy.

“Ransomware attacks against hospitals and health care systems that compromise sensitive medical information and disrupt patient care must be stopped. Unfortunately, small and rural hospitals often lack the resources to invest in cybersecurity defenses and staff to prevent these breaches,” Peters said.

“This bipartisan legislation will require the federal government to ensure our most vulnerable health care providers have the necessary tools to protect patient information and provide lifesaving care even as criminal hackers continue to target their networks.”

As rural hospitals continue to face challenges with managing cyber risk, free and low-cost resources may prove crucial to filling urgent gaps. For example, rural healthcare organizations may leverage free tools and guidance from the Office of the National Coordinator for Health Information Technology (ONC), as well as the latest cyber threat information from the Health Information Sharing and Analysis Center (Health-ISAC).

Even with these free resources available, additional government support for rural hospitals is urgently needed, experts suggest.

“We cannot leave our small and rural hospitals behind,” Pierce said during the hearing in March. “Funding opportunities must be made available to these hospitals.”