How Cybersecurity Became a Top National Priority

September 30, 2022

Emergency managers specializing in information technology have always known about the cybersecurity dangers that exist, especially in health care.

Now, we’re seeing federal action to catch up to the digital threats we face.

How did we get here? For health systems, a transition to digital records and the large number of IT systems within hospital walls have made us a target for bad actors. We know we have to put the proper safeguards in place to protect our patients’ information and our facility operations.

And I’m sad to report that the stakes are only growing, as the per-incident cost for a data breach in the U.S. was $9 million during, according to IBM. What’s next for cybersecurity? Here’s a roundup of some of the initiatives on the table. 

Legislative action

This year, federal lawmakers and agencies have introduced a host of legislative and regulatory actions to address cybersecurity in health care. We’ve seen new initiatives to bolster cybersecurity for medical devices and supply chains. Earlier this year, lawmakers introduced the Healthcare Cybersecurity Act to foster collaboration among federal departments, improve information-sharing, and provide training to the health care and public health sectors.

During March, President Biden signed the Cyber Incident Reporting for Critical Infrastructure Act of 2022, otherwise known as “CIRCIA.” 

CIRCIA could potentially have a large impact for the whole cybersecurity community and the nation’s health care organizations. The legislation requires critical infrastructure companies (such as hospitals) to report covered cyber incidents within 72 hours and report ransom payments within 24 hours after a payment is made.

The legislation reinforces something that’s critical to remember: during a cyber incident, you need to act quickly to limit the damage.

The government is hosting a series of listening sessions to hear from stakeholders about CIRCIA. I look forward to hearing what our hospital and health care partners have to say about the legislation as we continue to protect the nation’s health care infrastructure. 

What you can do

It’s easy to feel uncertain as we face larger digital threats than ever before. Remember that there are some steps you can take to protect your organization.

It all starts with preparation. You can’t stop every cyber threat, but you can limit your vulnerabilities. This year, the U.S. Department of Health and Human Services identified the following best practices to improve your cyber posture:

• Maintain offline, encrypted backups of data and regularly test your backups
• Conduct regular scans to identify and address vulnerabilities
• Regularly patch and update software and operating systems
• Train your employees regarding phishing and other IT attacks

These bedrock principles are a starting point as you focus on strengthening your cyber posture, and we know we’ll have to do more to stay ahead of the digital threats on the horizon.

If you’d like to know more about how you can bolster your cybersecurity, contact Jason Tomashunas, MS, CHEP, HAP manager, emergency management.

John Riggi, the AHA’s senior advisor for cybersecurity and risk, also offers coverage and resources about health care cybersecurity.