Cybersecurity is a major focus area for health system associates in all disciplines as cyberattacks against healthcare organizations continue to grow. As these challenges become impossible to ignore, what role public policy will play in protecting patients and technology assets becomes an even more important question to answer. There are key areas where legislation and regulatory action can help to drive best practices and standardization throughout the healthcare industry.
Why healthcare cybersecurity matters
The healthcare industry is a prime target for cybercriminals, as health systems provide critical services and handle highly sensitive data. If their networks and technology are compromised, lives could be put at risk. Yet health care lags many sectors in terms of cyber maturity, creating dangerous gaps in many organizations’ defenses. If ransomware attacks breach a health system’s network, they can shut down facilities, delay treatments, reroute patients, and jeopardize outcomes. These attacks also have severe financial and reputational impacts.
Establishing autonomy for health systems through Right to Repair
A rapid response to cybersecurity risks is vital for safeguarding networked medical devices and IT resources. Carrying out such a strategy requires biomed technicians to have access to tools, information, training, and patches to effectively service technology. This is one of the key motivators behind the drive for Right to Repair legislation at the state and federal levels. Right to Repair ensures healthcare technology management teams are empowered to service mission-critical resources.
Allowing health systems’ in-house clinical engineering teams or independent service organizations (ISOs) access to information needed to address vulnerabilities enables quick and effective device security and closes critical gaps. When ISOs or third parties can't address vulnerabilities, delays in device availability and patient care occur. Enacting Right to Repair legislation empowers health systems to protect against urgent cyber threats.
Closing gaps in scope of existing regulations
Policymakers should enhance recent legislative and regulatory efforts. The 2023 Consolidated Appropriations Act introduced policies requiring manufacturers to provide software patches for new devices. The law made strong progress in ensuring that health systems will be better equipped to defend against cyberattacks as they adopt new technology.
However, only addressing new or future technology does not solve the most urgent existing cybersecurity problems in health care. Health systems need to be supported with a standardized approach for remediating and mitigating the security risks on existing devices, especially as they look to extend the useful life of their assets to contend with industry-wide financial challenges. Requiring manufacturers to patch or otherwise mitigate vulnerabilities will help keep devices secure and reduce the burden on cybersecurity teams.
Building infrastructure in rural organizations
Rural providers face unique cybersecurity challenges due to limited resources, smaller IT teams, and tight budgets. These organizations struggle to implement necessary defenses. Unfunded mandates for more cybersecurity measures are unattainable without additional support. Lawmakers should provide targeted funding to help rural systems acquire tools and expertise to protect themselves and their communities. In fact, unfunded mandates create significant difficulties for compliance across all segments, however rural health systems are particularly at risk.
A multi-pronged approach
Addressing medical device cybersecurity requires a comprehensive strategy involving the government and the private sector. This approach should include:
- New laws and regulations expanding cybersecurity requirements for the materials to effectively service and maintain medical device cybersecurity ensuring timely patch distribution, and empowering providers through Right to Repair policies.
- Federal resources and funding to help healthcare organizations, especially rural providers, invest in cybersecurity solutions and workforce development.
- Strengthening and expanding regulations to enable health systems to bolster defenses and ensure accountability.
- Collaboration and public-private partnerships to improve healthcare cybersecurity.
Medical device cybersecurity has real-world consequences for patients, providers, and the future of American health care. Cyberattacks disrupt critical services, delay care, and put sensitive data at risk. Inaction will exacerbate the problem, leaving systems and patients exposed. Leaders have an opportunity to lead on this critical issue. Protecting the healthcare sector is a matter of public health, patient safety, and national security.