Healthcare , Industry Specific , Standards, Regulations & Compliance

Why New Cyber Penalties May Strain Hospital Resources

John Riggi of the American Hospital Association on HHS' Upcoming Cyber Regulations
John Riggi, national cybersecurity and risk adviser, American Hospital Association

White House efforts to ratchet up healthcare sector cybersecurity are critically important, but possible financial penalties levied for non-compliance with upcoming cyber requirements that are directed only at hospitals could do more harm than good, said John Riggi, national cyber and risk adviser of the American Hospital Association.

See Also: Healthcare in The Cloud: Detecting and Overcoming Threats to Ensure Continuity & Compliance

Earlier this year, the Biden administrative issued "cybersecurity performance goals" for the healthcare sector consisting of 10 "essential" practices, such as multifactor authentication, and 10 "enhanced" practices, including cybersecurity testing. At the time, the CPGs were called "voluntary," but they are anticipated to become mandatory requirements for hospitals under pending U.S. Department of Health and Human Services' regulations expected to be released soon, Riggi said (see: Feds Wave Sticks & Carrots at Health Sector to Bolster Cyber).

"The Biden administration is poised to impose minimum mandatory cybersecurity regulations upon hospitals consisting of those 10 essential and 10 enhanced cyber security performance goals," he said (see: Will Upcoming HHS Cyber Regs Move Needle in Health Sector?).

While the AHA "absolutely agrees with these practices," HHS' expected plans to have them apply only to hospitals - with possible financial penalties for noncompliance - are concerning, he said.

That's because many of the largest and most disruptive cyber incidents in the healthcare sector have been experienced by nonhospitals - such as health insurers and third-party vendors such as Change Healthcare. Plus, many of the 6,000 hospitals in the U.S. already lack the means needed to implement stronger cybersecurity programs.

"It's a very significant concern we have, because ultimately, not only are we concerned that there are lack of resources for those hospitals most in need, but that the penalties are very severe," Riggi said.

"Those fines will end up taking away necessary resources that hospitals could use to defend against these attacks and to bolster their cybersecurity programs," he said.

In this video interview with Information Security Media Group, Riggi also discussed:

  • The AHA's recent collaboration with the White House to secure cybersecurity resources from Google and Microsoft to help rural and nonprofit hospitals;
  • Other cybersecurity regulatory issues facing the healthcare sector;
  • Evolving global cyberthreats from China, Russia, North Korea and other nations.

Riggi leads cybersecurity and risk for the American Hospital Association, which has more than 5,000 U.S. member hospitals. He previously served in the FBI for 30 years in a variety of leadership roles, including representative to the White House Cyber Response Group. He also served as a senior representative to the CIA, working as the national operations manager for terrorist financing investigations. Riggi is also a keynote speaker at the ISMG Healthcare Security Summit in New York City on July 18.

About the Author

Marianne Kolbasuk McGee

Marianne Kolbasuk McGee

Executive Editor, HealthcareInfoSecurity, ISMG

McGee is executive editor of Information Security Media Group's media site. She has about 30 years of IT journalism experience, with a focus on healthcare information technology issues for more than 15 years. Before joining ISMG in 2012, she was a reporter at InformationWeek magazine and news site and played a lead role in the launch of InformationWeek's healthcare IT media site.

Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing, you agree to our use of cookies.