ADVERTISEMENT
The Shortcomings of the Microsoft-Google Cybersecurity Initiative for Rural Hospitals
Jackie Mattingly, Senior Director of Consulting Services, Clearwater
The recent cybersecurity initiatives by tech giants Microsoft and Google, designed to strengthen the defenses of rural hospitals, have generated considerable attention within the health care community. Although these efforts are commendable and underscore the urgent need for improved cybersecurity in health care, they fall short of addressing the core challenges that rural hospitals face.
Understanding the Real Cybersecurity Challenges
Rural hospitals face unique cybersecurity challenges that go beyond the simple provision of tools. One of the most pressing issues is third-party vulnerabilities, which have been a significant vector for breaches. These hospitals often rely on a myriad of third-party vendors for various services, from electronic health records (EHR) systems to medical devices. Each of these vendors represents a potential point of entry for cyber attackers. Without robust vetting and continuous monitoring, these third-party connections can become weak links in the cybersecurity chain.
Additionally, rural hospitals typically operate with limited financial resources and a shortage of skilled cybersecurity professionals. This resource constraint makes it difficult to implement and maintain comprehensive cybersecurity programs. The constant evolution of cyber threats necessitates continuous monitoring and updating of security measures, a task that is daunting for hospitals already stretched thin. Imagine a small town's volunteer fire department receiving the latest, most sophisticated firefighting equipment. Without the necessary training and manpower, this advanced equipment remains unused and ineffective. In the same way, rural hospitals can possess the most cutting-edge cybersecurity tools, but without proper staffing and expertise, these tools are rendered useless.
For example, a sophisticated intrusion detection system (IDS) is only effective if it is properly configured, monitored, and maintained. Without skilled personnel to manage these tools, they can become more of a burden than a benefit. Training existing staff is an important step, but it is not a complete solution. Many rural hospitals have minimal IT staff, and the demands of day-to-day operations leave little time for the extensive training needed to manage complex cybersecurity tools.
The Need for Government Funding and Third-Party Expertise
To level the playing field with larger institutions, rural hospitals need access to the same level of cybersecurity capabilities as larger institutions. This can be achieved through government grants and incentives designed to offset the costs of engaging managed security service providers (MSSPs). Such funding would enable small hospitals to implement robust security practices based on industry standards and ensure ongoing risk management.
MSSPs specializing in health care cybersecurity can offer the expertise and resources that small hospitals lack. These experts can conduct thorough risk assessments, develop tailored cybersecurity strategies, and offer ongoing monitoring and support. This approach ensures that cybersecurity measures are not only implemented but also maintained and updated in response to evolving threats.
A structured approach to post-assessment support is crucial. Identified risks should be actively mitigated through comprehensive action plans and remediation efforts, with the necessary resources and expertise provided to hospitals. This ensures that cybersecurity initiatives lead to substantial, lasting enhancements rather than temporary fixes.
Moving Beyond the Microsoft-Google Initiative
While the Microsoft-Google initiative represents a step in the right direction, it is not enough to drive meaningful improvement in protecting our most vulnerable hospitals and the patients they serve. To achieve true cybersecurity resilience, a holistic approach is needed—one that includes government funding, third-party expertise, and ongoing support.
For instance, the HHS Information Security Program, which plays a crucial role in safeguarding sensitive patient information under HIPAA regulations, has faced significant challenges in achieving its objectives. The Department of Health and Human Services FY 2023 Federal Information Security Modernization Act (FISMA) Report published on June 24, 2024, detailed these issues, emphasizing the need for improvements to strengthen compliance efforts and protect health care data from evolving cyber threats.
The FISMA report identified several key findings and common weaknesses, including persistent challenges in achieving a "Managed and Measurable" maturity level, significant disparities in cybersecurity practices among divisions, policy gaps, and inconsistent implementation across Operational Divisions (OpDivs) and Staff Divisions (StaffDivs). These deficiencies pose significant risks to health care cybersecurity, jeopardizing the security of patient data and exposing HHS to potential cyber threats and breaches.
The real-world impact of these vulnerabilities can be seen in the case of St. Margaret's Health in Illinois, which had to close its doors partly due to the financial strain and operational disruptions caused by a 2021 ransomware attack. The attack crippled the hospital's billing system and caused significant delays in patient care, ultimately contributing to the hospital's decision to shut down (Becker's Hospital Review).
The Biden administration has emphasized its commitment to improving the resilience of the health care sector to cyberattacks. However, record breaches and increasing ransomware attacks indicate that more needs to be done. A comprehensive strategy that addresses the specific needs of rural hospitals is essential to safeguard patient safety and protect against cyber threats.
About the Author:
Jackie Mattingly is a Senior Director of Consulting Services at Clearwater, focused on serving the cybersecurity and compliance needs of regional and community hospitals. She has more than 20 years of experience in health care IT and has spent the last decade in information security, including serving as Chief Information Security Officer for Owensboro Healthcare in Kentucky.
Jackie is a board member of the Association for Executives in Healthcare Information Security (AEHIS) contributing to the advancement of health care information security professionals and also a board member for the Women in CyberSecurity Healthcare (WiCyS Healthcare) contributing to reshaping the social and technical landscapes of our critical health systems. She also serves as Adjunct Faculty Instructor for the University of Southern Indiana (USI), helping to educate the next generation of health care privacy and security professionals.