Bipartisan Bill Aims to Shut Rural Hospital Cyber Skill GapsCalls for CISA to Develop Cyber Workforce Development Strategy
New bipartisan legislation introduced in the U.S. Senate aims to help address the shortage of cybersecurity skills facing rural hospitals, which increasingly find themselves in the crosshairs of hackers, including ransomware attackers.
The Rural Hospital Cybersecurity Enhancement Act is backed by Sens. Gary Peters, a Michigan Democrat, and Josh Hawley, a Missouri Republican. Peters is chair of the Senate Homeland Security and Governmental Affairs Committee, and Hawley is a committee member.
The bill would require the Cybersecurity and Infrastructure Security Agency to develop a comprehensive cybersecurity workforce development strategy for healthcare facilities located in "non-urbanized" areas that provide inpatient and outpatient care services, such as primary care, emergency care and diagnostic services.
“Ransomware attacks against hospitals and healthcare systems that compromise sensitive medical information and disrupt patient care must be stopped," Peters said in a statement. "Unfortunately, small and rural hospitals often lack the resources to invest in cybersecurity defenses and staff to prevent these breaches," he said.
Rural hospitals have become an increasingly popular target for cybercriminals. In March, healthcare sector cybersecurity experts testified to the Senate Homeland Security and Governmental Affairs Committee about the growing cyberthreats and challenges faced by these facilities (see: Healthcare Leaders Call for Cybersecurity Standards).
Cybersecurity gaps are widest at small rural hospitals, testified Kate Pierce, who served for 21 years as CIO and CISO at North County Hospital, a 25-bed community hospital in Vermont.
Staff at rural hospitals is scarce and stretched thin, she said. It is extremely rare to find individuals who are specifically assigned to handle security at those facilities, said Pierce, who is currently an executive at Fortified Health Security.
Just last week, Uintah Basin Healthcare, which includes a 42-bed hospital in rural eastern Utah, began notifying 103,974 patients who had received care between March 2012 and November 2022 that their health information was potentially compromised in a hacking breach. The incident last November forced the entity to take its systems offline (see: Uintah Basin Healthcare Data Breach Affects Over 100,000).
The bill would require CISA to develop a comprehensive rural hospital cybersecurity workforce development strategy that, at a minimum, considers public-private partnerships, development of curricula and training resources, and policy recommendations.
That includes requiring CISA creating instructional materials for rural hospitals to train staff on fundamental cybersecurity measures. The bill also calls for DHS to report annually to congressional committees regarding the strategy and any programs that have been implemented.