Hospitals Suffer Because the Department of Health and Human Services Fails to Lead on Cybersecurity

Secretary of Health and Human Services Robert Kennedy Jr. has an urgent crisis to solve: the ransomware pandemic crippling American hospitals.

The Biden administration spent years affirming the importance of the cybersecurity of American hospitals, but left office having accomplished little. It is now up to the Trump administration and Congress to ensure that the Department of Health and Human Services (HHS) stops shirking its responsibilities to help this at-risk sector.

American Hospitals Are Under Attack

The healthcare and public health sector consistently suffers more ransomware attacks than all other critical infrastructure sectors. Over the past few years, hackers have pilfered the personal health information of hundreds of millions of Americans. Even worse, cyberattacks disrupt timely patient care, increasing mortality and morbidity rates. Cyberattacks force the diversion of ambulances from affected hospitals to other nearby facilities. Diagnostic machines like MRI machines can get kicked offline. Nurses may lose access to digital patient monitors. Doctors and pharmacists may need to rely on handwritten dosage information without the usual electronic systems to ensure the administration of correct medicines.

A year ago, in February 2024, a massive cyberattack on health payment processing company Change Healthcare rocked the sector. The attack pushed hundreds of hospitals, clinics, and pharmacies to the financial brink as they struggled to receive insurance authorizations and payments for months.

The Biden Administration: Too Much Talk, Not Enough Action

Released a month after the attack, HHS’s March 2024 budget could no longer ignore the cyber challenges facing the sector. Accordingly, the department announced the creation of a $1.3 billion grant program to help under-resourced hospitals. The fine print, however, revealed this to be, at best, an aspirational idea, with promises of funding potentially available only years into the future.

Ever since that February 2024 attack, the Biden White House repeatedly proclaimed that healthcare cybersecurity requirements were just around the corner. HHS issued its first-ever cybersecurity strategy and sector-specific, voluntary cybersecurity performance goals. But outgoing HHS officials left their 59-page draft rule turning those voluntary rules into minimum cybersecurity requirements for the Trump  administration to address.

Allowing the Trump administration to set its own regulatory priorities makes sense, but given that the new administration has paused all regulatory action for at least two months, failing to issue the proposed rule means that HHS will not even begin the process of receiving formal public comments on its proposal until at least the spring. The comment period for regulations provides private sector stakeholders with an opportunity to explain their concerns to government officials. Issuing the proposed rule before the end of the Biden administration would have gifted the Trump team valuable insights from the private sector on the right balance between prescriptive standards and results-based resilience.

Instead, after pushing greater privacy rules, outgoing HHS political appointees left their civil servants holding the bag and took a victory lap. On the last business day in office, Andrea Palm, the deputy secretary, published an op-ed once again touting the department’s non-existent $1.3 billion grant program.

The deputy secretary and other outgoing officials glossed over the department’s long-standing failure to prioritize cybersecurity. Back in the 2021 annual defense bill, Congress formally codified the longstanding policy that HHS is responsible for helping the sector identify, prepare for, and mitigate cyber risks and other threats. Until last year, however, the department was spending less than $1 million annually on these sector risk management agency (SRMA) responsibilities.

Congress Steps In

In the fiscal year 2024 appropriations bill, Congress provided HHS with $7 million for this work, enabling those with cyber expertise in the department to begin to make small but meaningful change. Over the summer, HHS consolidated its cybersecurity programs under its Administration for Strategic Preparedness and Response (ASPR). Previously, ASPR was responsible for preparing for disaster and public health emergency response. It had many — but not all — of the capabilities necessary to mitigate cyberattacks as well. The result was that the sector received insufficient assistance to identify and mitigate cyberattacks.

Moving key cyber initiatives under ASPR’s authority has begun to address the shortcomings. But HHS needs to do more to consolidate all its cybersecurity information sharing initiatives lest silos and redundancies continue. Counterintuitively, reorganizing these deck chairs is important. Yet a November Government Accountability Office (GAO) report warned that HHS is still poorly equipped to address the cyber threats facing healthcare. For nearly five years, GAO has been making the same recommendations. It is time for Congress to further step in to direct HHS to prioritize its cybersecurity mission.

In the month before the end of the 118th Congress, a bipartisan Senate working group introduced the Healthcare Cybersecurity and Resilience Act. It would have authorized a grant program for underfunded hospitals to implement basic cybersecurity measures and codified ASPR’s cyber risk management responsibilities. These provisions and others would actualize HHS’s rhetoric.

Hospitals Need Personnel and a Good Federal Partner

By introducing the legislation late in the congressional calendar, senators were using this text to set an important marker for the 119th Congress. Lawmakers are likely to reintroduce this legislation in the new year.

As they do so, members of Congress also should consider creating a pilot program to provide rural hospitals not just with funding but also with personnel who have expertise to implement stronger cybersecurity measures. These hospitals need to purchase better technology, but they also need personnel to install and manage it.

Lawmakers will also need to provide ASPR with sufficient funding. Last year’s $7 million infusion was significant but likely still a fraction of what the office needs given the scale of the cyber threats against the sector. Without an effective government partner, healthcare providers will remain far too vulnerable to cyberattack and patients too at-risk of receiving poor care as a result.

Annie Fixler is the director of the Center on Cyber and Technology Innovation (CCTI) at the Foundation for Defense of Democracies (FDD) and an FDD research fellow. Rohannah Shrestha is a CCTI intern and a recent graduate of New York University with a master’s of science in global security, conflict, and cybercrime. For more analysis from the authors and CCTI, please subscribe HERE. Follow FDD on X @FDD and @FDD_CCTI. FDD is a Washington, DC-based, nonpartisan research institute focusing on national security and foreign policy.