Fraud Management & Cybercrime , Healthcare , Industry Specific
Why Aren't More Rural Hospitals Accepting Free Cyber Help?
Some Face Hurdles in Tapping Into Free, Discounted Services From Microsoft, GoogleRural and small hospitals often complain that a lack of resources is a major factor stunting their cybersecurity maturity. But even when offered free or discounted cyber assistance, many of these organizations aren't signing up.
See Also: 2024 CISO Insights: Navigating the Cybersecurity Maelstrom
In June, the Biden administration - with Microsoft and Google - announced a program aimed at providing cyber-starved rural and small hospitals free or low-cost products and services to help get things rolling (see: Microsoft, Google Offering Cyber Help to Rural Hospitals).
But so far, only about 350 of 1,800 small and rural U.S. hospitals - about 20% - have accessed the Google and Microsoft solutions, according to Anne Neuberger, deputy national cyber director, who spoke at a conference last week in Washington, D.C.
Kate Pierce, executive director of government affairs at security firm Fortified Health Security, said these initial numbers "can be a bit deceiving," and when you consider eligibility requirements, about half of the hospitals are participating in the program.
Microsoft only offers the solutions to independent critical access hospitals, or CAHs, and rural emergency hospitals, or REHs, said Pierce, a former longtime CIO and CISO at a rural Vermont hospital. The number of independent rural hospitals has been steadily declining in recent years, she said, leaving about 1,367 CAHs and 32 REHs in the U.S. - about 1,400 hospitals in total. "If less than half are independent, this is less than 700. Therefore, the 350 that are taking part may be as much as 50% of those who qualify," she said.
Ransomware attacks have been rising across the healthcare sector, and they can be highly disruptive to rural hospitals, which serve more than 60 million Americans, the White House said in a statement in June announcing the program.
Most rural hospitals are critical access hospitals and are located more than 35 miles away from another hospital, "which makes diversions of patients and staffing-intensive manual workarounds in response to attacks more difficult," the White House said.
Obstacles to Technology and Resources
For many of these types of organizations, cybersecurity help is certainly much needed, experts agree. But the devil is in the details.
"Having such power players like Google and Microsoft chip in to the fight is a benefit. The more support and reinforcements, the better," said Brad Marsh, a registered nurse and executive vice president of government and clinical innovation at consulting firm First Health Advisory.
"However, cybersecurity in healthcare is not just bits and bytes; there are blood and bone implications for every cybersecurity issue," he said.
"Just as there's no such thing as a free lunch, there is no such thing as 'free cybersecurity,'" said former healthcare CIO David Finn, executive vice president of governance and risk at First Health Advisory.
"Cybersecurity is ultimately a people problem, not a technology problem - primarily because people must determine what security tools they need. They must determine risks, what they will protect against, and how - while considering how to implement, monitor and keep the technology running," he said.
These free tools require documentation, both for the technology and for how it is used, as well as supportive policies and procedures for every user of the systems they use that may be impacted by the free tool," Finn said.
"Then come the 'free' policies and procedures written for an organization completely unlike your own. And then something changes, which will require updates to the tool, the people and the processes," he said.
What Does 'Free' Mean?
Another big question about all of the offerings available: What exactly does "free" mean once an entity digs below the surface of the offerings?
"Microsoft and Google's lists vary in offerings. Microsoft offers deeply discounted pricing for its suite of products. Additionally, these healthcare delivery organizations can get the Advanced Security Suite free for a year if they are using eligible Microsoft solutions," Marsh said.
"This is where those in acquisition and contracting start to unpeel the onion. While I am not saying there is anything nefarious in their intentions, there are instances where the free item has unseen cost implications. Software needs hardware to run on, and systems administrators to manage it," he said.
"Additionally, one should not assume that healthcare delivery organizations use either Microsoft or Google products. I recently spoke with a friend at an HDO who used an email service I had not heard about since the early 2000s," Marsh said. "If they were required to implement either provider's solutions first, that would be cost prohibitive."
Microsoft did not immediately respond to Information Security Media Group's request for comment.
Google in June said it is offering endpoint security advice to rural hospitals and nonprofit organizations at no cost, as well as a pool of funding to support software migration.
It also said it will launch a pilot program with four to five rural hospitals to develop a package of security capabilities that fit these hospitals' unique needs.
Right now, Google is looking for ways to expand offerings suited for rural and small hospitals, said Taylor Lehmann, director of the Office of the CISO at Google Cloud.
"Google has developed an initial suite of available products, but we are also taking a deep-dive approach so we can best understand the rural health systems we are seeking to serve," he said.
"Since May, we've met with numerous health systems - touring facilities, talking to administrators, seeing these organizations support their communities in action. We've learned that no two rural health systems are the same, and this adage extends to cybersecurity," he said.
"Many have prioritized efforts and built strong cybersecurity programs, while others are in need of a full spectrum of assistance beyond simply discounting services they already have. Indeed, we've seen many organizations take advantage of these programs to lower their technology spending and reapply those savings to supporting patient care - but the great majority of health systems need more than discounts," Lehmann said.
"Prior to starting this work, we knew the tools we initially offered would require the pairing of implementation and support services - as well as long-term discounts - which we have prioritized in our rural health offer," he said.
In addition to services, Google has bolstered its offers by partnering with the Health Information Sharing and Analysis Center to help rural systems onboard into intelligence-sharing programs and has agreed to help distribute resources from the Health and Public Health Sector Coordinating Council through this program, Lehmann said.
"Further, we've extended no-cost incident response retainers from our Mandiant division to all qualified rural health hospitals and clinics," Lehmann said.
A 'Whole of Nation' Approach
John Riggi, national cybersecurity adviser at the American Hospital Association - which worked with the Biden administration, Microsoft and Google in the effort - said that the participation so far in the White House program is on the uptick.
"I'd like to point out how significant it is that so many underresourced hospitals have already benefited from this program in a very short time - registering 414 hospitals in two months is a huge step in the right direction and on pace to exceed Microsoft's goal of 500 by the end of September," he said.
Riggi said the AHA will continue to work directly with the White House, Google and Microsoft in a "whole of nation approach" to develop the program and reach the "right people" in the hospitals.
"We believe that, at this point, the primary barrier to entry into the program may be simply an awareness issue rather than an indication that hospitals are making a conscious decision not to participate in the program for specific reasons," he said.
"We are also seeking feedback from the field to identify any programmatic or technical issues that may be inhibiting hospital registrations. Of course, we continue to advocate with all our commercial partners to expand hospital eligibility for these offerings, and we express our gratitude for what has been put forth thus far," Riggi said.
In addition to the Google/Microsoft program, in May, the Advanced Research Projects Agency for Health, ARPA-H, a unit of the Department of Health and Human Services, launched the Universal Patching and Remediation for Autonomous Defense - or UPGRADE program, a cybersecurity effort aimed at investing more than $50 million to create tools for hospital IT teams to spot and patch vulnerabilities (see: HHS Funds $50M to Spot, Patch Hospital Vulnerabilities).
The bottom line is that many small and rural hospitals that are candidates for these types of programs are independent, Pierce said. "They don't want to be given such limited options. Funding to enable these facilities to make independent choices to match their individual cyber needs will go much further than offering a single solution."
Healthcare sector organizations could benefit most from funding to directly offset costs for their programs, she said.
"While this is a place to start, we can't ignore that our complex healthcare system encompasses much more than hospitals. Until we can secure the entire ecosystem, healthcare will still be a prime target for cybercriminals."