Healthcare , Industry Specific , Legislation & Litigation

Bipartisan Bill Aims to Shut Rural Hospital Cyber Skill Gaps

Calls for CISA to Develop Cyber Workforce Development Strategy
Bipartisan Bill Aims to Shut Rural Hospital Cyber Skill Gaps
Sen. Josh Hawley, R-Missouri, and Sen. Gary Peters, D-Michigan (Image: U.S. Senate)

New bipartisan legislation introduced in the U.S. Senate aims to help address the shortage of cybersecurity skills facing rural hospitals, which increasingly find themselves in the crosshairs of hackers, including ransomware attackers.

See Also: Making Sense of FedRAMP and StateRAMP

The Rural Hospital Cybersecurity Enhancement Act is backed by Sens. Gary Peters, a Michigan Democrat, and Josh Hawley, a Missouri Republican. Peters is chair of the Senate Homeland Security and Governmental Affairs Committee, and Hawley is a committee member.

The bill would require the Cybersecurity and Infrastructure Security Agency to develop a comprehensive cybersecurity workforce development strategy for healthcare facilities located in "non-urbanized" areas that provide inpatient and outpatient care services, such as primary care, emergency care and diagnostic services.

“Ransomware attacks against hospitals and healthcare systems that compromise sensitive medical information and disrupt patient care must be stopped," Peters said in a statement. "Unfortunately, small and rural hospitals often lack the resources to invest in cybersecurity defenses and staff to prevent these breaches," he said.

Rural hospitals have become an increasingly popular target for cybercriminals. In March, healthcare sector cybersecurity experts testified to the Senate Homeland Security and Governmental Affairs Committee about the growing cyberthreats and challenges faced by these facilities (see: Healthcare Leaders Call for Cybersecurity Standards).

Cybersecurity gaps are widest at small rural hospitals, testified Kate Pierce, who served for 21 years as CIO and CISO at North County Hospital, a 25-bed community hospital in Vermont.

Staff at rural hospitals is scarce and stretched thin, she said. It is extremely rare to find individuals who are specifically assigned to handle security at those facilities, said Pierce, who is currently an executive at Fortified Health Security.

Just last week, Uintah Basin Healthcare, which includes a 42-bed hospital in rural eastern Utah, began notifying 103,974 patients who had received care between March 2012 and November 2022 that their health information was potentially compromised in a hacking breach. The incident last November forced the entity to take its systems offline (see: Uintah Basin Healthcare Data Breach Affects Over 100,000).

The bill would require CISA to develop a comprehensive rural hospital cybersecurity workforce development strategy that, at a minimum, considers public-private partnerships, development of curricula and training resources, and policy recommendations.

That includes requiring CISA creating instructional materials for rural hospitals to train staff on fundamental cybersecurity measures. The bill also calls for DHS to report annually to congressional committees regarding the strategy and any programs that have been implemented.

About the Author

Marianne Kolbasuk McGee

Marianne Kolbasuk McGee

Executive Editor, HealthcareInfoSecurity, ISMG

McGee is executive editor of Information Security Media Group's media site. She has about 30 years of IT journalism experience, with a focus on healthcare information technology issues for more than 15 years. Before joining ISMG in 2012, she was a reporter at InformationWeek magazine and news site and played a lead role in the launch of InformationWeek's healthcare IT media site.

Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing, you agree to our use of cookies.