Hospital leaders, Congress, and governmental agencies have been collaborating on potential solutions to healthcare data breaches that have increased 93% from 2018 to 2022.

On Dec. 6, HHS released a concept paper pledging to publish new healthcare cybersecurity performance measures and work with Congress to create cybersecurity incentives for hospitals.

The HHS paper follows an uptick in legislative activity related to healthcare cybersecurity. In June, the bipartisan Rural Hospital Cybersecurity Enhancement Act made it out of committee. If enacted into law, the bill is designed to boost the rural healthcare cybersecurity workforce. Hospital leaders also pointed to the work that the government has already done to enact best cybersecurity practices for rural hospitals.

"To the question of what the government can do, it needs to continue executing on this relationship and listening to the sector's needs. There are already services in place. Within HHS, there's a program called the 405(d) program, and that has produced a voluntary set of best practices," Erik Decker, chief information security officer of Salt Lake City-based Intermountain Health and the chair of the Health Sector Coordinating Council, told Becker's in July.

"We call it HICP (Health Industry Cybersecurity Practices)," said Mr. Decker. "It contemplates small, medium and large sized hospitals and gives them 10 practices and mitigates the five most common threats that hospitals are getting beat with."

Since some of the ransomware gangs that target critical healthcare facilities originate in Russia, Mr. Decker said that the government could be spurred to act as tensions between the two countries heat up over Ukraine.

"The government interest has been there for a number of years. It got extra activated with the Russia-Ukraine conflict and it's been extra activated because of the ransom actors that have hit healthcare," Mr. Decker said.





