Senate HELP hearing: Call for rural hospital incentives, list of vetted vendors

Congress can and should do more to support under-resourced providers, including rural hospitals, and other critical infrastructure entities to meet the cybersecurity challenges of the modern threat landscape, industry leaders testified during the Senate Committee on Health, Education, Labor, and Pensions (HELP) on July 9.

To best support healthcare delivery organizations, regulators need to shift away from approaches that penalize providers targeted by cyberattacks into policies that empower healthcare providers to strengthen their cyber defenses,” Linda Stevenson, Chief Information Officer of Fisher-Titus Medical Center, testified.

“When hospitals face budget constraints due to stagnant payment rates, they are often forced to reprioritize spending, redirecting limited resources toward immediate operational and patient care needs and away from long-term investments like cybersecurity,” she said.

The “Securing the Future of Health Care: Enhancing Cybersecurity and Protecting Americans’ Privacy” hearing renewed calls for federal support for rural hospitals and other critical access providers to address longstanding resource challenges and the constant targeting of healthcare by cybercriminals.

Stevenson’s list of recommended support needs included:

• Leniency in breach reporting
• Extension of claims processing deadlines in an event that keeps systems down for months at a time
• Assistance with payments in anticipation of a slowdown in cashflow, whether that’s a loan or another resource,
• Support with emergency services that might be needed to recover, as sometimes we don’t have the expertise in-house

For rural providers, the resource and staffing challenges facing all of healthcare hit the hardest. Legal and operational responsibility, for one, puts the onus of cross-walking the patchwork of regulation and state laws squarely on the back of organizations that don’t have the means to effectively do so.

Third-party vendor risk is another security challenge burdening the sector, particularly with vetting these business associates.

“It would be helpful if providers had an approved list of vendor products that have already been vetted to help us select from which meet a baseline set of privacy and security standards,” Stevenson testified.

The Health Sector Coordinating Council (HSCC) has been working on a system similar to the Fed-RAMP, which tells the precise cybersecurity requirements the vendors must meet if they want to sell to the government, testified Greg Garcia, HSCC Executive Director.

The same type of framework could be effectively used in healthcare. But Garcia pointed out that there would likely be “a lot of push back from the technology and service providers.”

Sen. Bill Cassidy (R-Lousiana) said, “I think we need to put the person … actually providing the care first, and not the people who are just trying to sell a product.”

“That’s exactly what [HSCC] have advocated for: those that are serving any critical infrastructure, healthcare, they need to be held to a higher standard,” Garcia responded. “CTS developed a cyber trust mark doing just that. But its application in healthcare is a question.”

Cyber and IT resource and staffing challenges persist

While a great majority of the U.S. health system is facing budget and resource constraints, rural hospitals and other small critical access hospitals have been the hardest hit by the challenges.

For example, recruiting and retaining qualified IT and cybersecurity professionals has long been an uphill battle for health systems and hospitals in remote or smaller communities. The shift to remote work has exacerbated this issue in “rural areas where we are competing for talent with other, better resourced organizations across the country who lure strong candidates and talent away with higher compensation,” said Stevenson.

“We don’t have the capability in our workforce to deal with [the current state of threats] and nation state actors,” Garcia said. “We don’t necessarily need training — we need people.”

One way to address this would be to empower the National Guard at the state level, like a 911 civil defense, he continued. This could rally the community around rural hospitals and provide much needed expertise in the event of an emergency.

As seen with the Change Healthcare cyberattack and disruptions, small, under-resourced hospitals are still working to recover from the impacts of the event. Some care sites were forced to close permanently.

Sophisticated attacks are “beyond the capability for rural, small critical access health systems to counter — and even for the larger health systems,” Garcia said, “we cannot beat nation states.”

Removing liability concerns could improve the ability for organizations to respond to an event. Congress could reduce some of the liability challenges that make security leaders hesitant to share threat data, or the threats to their environment, security incidents, and other cyber instances.

“We need to be able to talk to each other and disconnect from each other. But we’re all afraid to talk about it. And if we have the opportunity with less liability that would be very helpful,” said Stevenson.

At the core of it all, what’s truly needed is resource support – and less penalties for providers attempting to keep patients safe, networks secure, and effectively respond to cyberattacks.

Industry leaders have long requested an incentivization program that would embolden low-resourced providers to invest in their cyber programs and training. In 2022, Sen. Mark Warner (D-Virginia) detailed an incentivization program that would directly fund low-resourced providers, as well as a workforce development program to reduce staffing gaps.

In the last three years, the detailed proposal has not yet been realized, despite overwhelming industry support. And as seen with last year’s Change Healthcare cyberattack, the disruptions, financial impacts, and patient safety risks remain a true threat to the healthcare sector.

For rural hospitals, these financial challenges are more acute. As Stevenson noted in her written testimony, the majority operate at a loss: 50% are in the red in 2024, up from 43% the previous year.

“Their ability to make strategic investments in cybersecurity and workforce is severely limited,” Stevenson wrote. “While mid-to-large hospitals typically allocate 6 to 10% of their IT budgets to cybersecurity, small and rural hospitals spend closer to 4%, further underscoring the disparity in their ability to defend against cyber threats.”

Garcia pitched in: “We need support, whether that’s financial incentives to invest in cybersecurity or direct financial support.”

While these challenges and possible solutions are well known within the sector, industry leaders must continue to sound the alarm on the need for support to continue moving healthcare toward a more modernized and resilient cyber foundation.