KFF Health NewsSep 19 2024
The Health and Human Services Department's "current approach to healthcare cybersecurity — self-regulation and voluntary best practices — is woefully inadequate and has left the health care system vulnerable to criminals and foreign government hackers," Sen. Ron Wyden , chair of the Senate Finance Committee, wrote in a recent letter to the agency.
In December, HHS put out a cybersecurity strategy meant to support the sector. Several proposals focused on hospitals, including a carrot-and-stick program to reward providers that adopted certain "essential" security practices and penalize those that didn't. Responsibility for the nation's health cybersecurity is shared by three offices within two different agencies. The health department's civil rights office is a sort of cop on the beat, monitoring whether hospitals and other health groups have adequate defenses for patient privacy and, if not, potentially fining them.
Related StoriesNitin Natarajan, the cybersecurity agency's deputy director, told KFF Health News that the list was just a draft. The agency previously estimated it would finish the entities list — across sectors — last September. But since then, Meekins said, the agency has shown it's "not qualified to do it. There isn’t the funding there, there isn’t the engagement, there isn’t the expertise there."