Cyber Legislation Advances Just as a Rural Hospital in Illinois Closes
Bipartisan legislation proposing to help rural hospitals better address cybersecurity personnel shortages cleared a Senate committee Wednesday amid signs of a deepening ransomware crisis affecting hospitals serving areas with low population density.
The Senate Homeland Security and Governmental Affairs Committee approved the Rural Hospital Cybersecurity Enhancement Act during a Wednesday session. Its sponsor is Missouri Republican Sen. Josh Hawley, and it is co-sponsored by the committee chair, Sen. Gary Peters, a Michigan Democrat. Ten senators approved the bill, and Kentucky Republican Sen. Rand Paul voted “present.”
The bill directs the Cybersecurity and Infrastructure Security Agency – in consultation with the departments of Health and Human Services, Labor, and Education – to develop a cybersecurity workforce development strategy for rural hospitals and to publish instructional materials. The bill calls for CISA to make legislative proposals necessary to implement the strategy (see: Bipartisan Bill Aims to Shut Rural Hospital Cyber Skills Gaps).
The committee voted to pass the bill with an amendment from Paul specifying that CISA shouldn’t ask for additional funds to carry out the proposal.
The bill stemmed from a hearing the committee held in March examining cybersecurity threats facing the healthcare sector, Peters said (see: Healthcare Leaders Call for Cybersecurity Standards).
The hearing included testimony by witnesses who told the legislators that IT and security staff at rural hospitals is scarce and overworked. Rural hospitals rarely have a dedicated cybersecurity worker.
“What we heard was that rural hospitals in particular are soft targets to cybercriminals,” Hawley said to his committee colleagues at Wednesday’s markup.
“Just yesterday, there were media reports that a rural hospital in Illinois had to close completely because of a cyberattack,” said Hawley, referring to 44-bed St. Margaret’s Health in Spring Valley, Illinois, which announced it is permanently shutting down its two small hospitals and clinics on Friday due to financial and other woes worsened by a 2021 ransomware incident (see: Rural Healthcare Provider Closing Due in Part to Attack Woes).
Small and rural hospitals are hit especially hard with cyber skills shortages for multiple reasons, Nate Couture, CISO of the University of Vermont Health Network, told Information Security Media Group.
“The economic reality of small and rural hospitals is that their overall IT teams are likely to be small,” he said.
“When small and rural organizations can fund a full- or partial-time employee toward cyber, it will generally be at a much lower compensation rate than other industries,” he said.
Healthcare is also not viewed by many candidates as being on the cutting edge of cybersecurity, often due to insufficient funding to invest in the latest capabilities, Couture added.
“This makes it a challenge for small and rural hospitals to hire the skill set that is available on the market.”
Also contributing to the workforce issues is the reimbursement model from payers and government programs for patient care services delivered by rural hospitals, said Mike Ward, CIO of Covenant Health, a health system that serves a 23-county area in eastern Tennessee.
“While we are not small nor rural as a system, I have six of nine hospitals that are small/rural, and they greatly rely on ‘the system” to provide consolidated services at an economy of scale,” he said.
Reimbursement models needs to be adjusted for rural hospitals “with some guidelines on how the money needs to be spent,” including on workforce development, Ward added.