Healthcare , Industry Specific , Training & Security Leadership

Bill for Rural Hospital Cyber Skills Passes Senate Committee

Cyber Legislation Advances Just as a Rural Hospital in Illinois Closes
Bill for Rural Hospital Cyber Skills Passes Senate Committee
The Senate Homeland Security and Governmental Affairs committee advanced a bill meant to improve rural hospital cyber skills during a June 14, 2023 markup. (Image: U.S. Senate)

Bipartisan legislation proposing to help rural hospitals better address cybersecurity personnel shortages cleared a Senate committee Wednesday amid signs of a deepening ransomware crisis affecting hospitals serving areas with low population density.

See Also: Managing Shadow IT Across Your Enterprise

The Senate Homeland Security and Governmental Affairs Committee approved the Rural Hospital Cybersecurity Enhancement Act during a Wednesday session. Its sponsor is Missouri Republican Sen. Josh Hawley, and it is co-sponsored by the committee chair, Sen. Gary Peters, a Michigan Democrat. Ten senators approved the bill, and Kentucky Republican Sen. Rand Paul voted "present."

The bill directs the Cybersecurity and Infrastructure Security Agency - in consultation with the departments of Health and Human Services, Labor, and Education - to develop a cybersecurity workforce development strategy for rural hospitals and to publish instructional materials. The bill calls for CISA to make legislative proposals necessary to implement the strategy (see: Bipartisan Bill Aims to Shut Rural Hospital Cyber Skills Gaps).

The committee voted to pass the bill with an amendment from Paul specifying that CISA shouldn't ask for additional funds to carry out the proposal.

The bill stemmed from a hearing the committee held in March examining cybersecurity threats facing the healthcare sector, Peters said (see: Healthcare Leaders Call for Cybersecurity Standards).

The hearing included testimony by witnesses who told the legislators that IT and security staff at rural hospitals is scarce and overworked. Rural hospitals rarely have a dedicated cybersecurity worker.

"What we heard was that rural hospitals in particular are soft targets to cybercriminals," Hawley said to his committee colleagues at Wednesday's markup.

"Just yesterday, there were media reports that a rural hospital in Illinois had to close completely because of a cyberattack," said Hawley, referring to 44-bed St. Margaret's Health in Spring Valley, Illinois, which announced it is permanently shutting down its two small hospitals and clinics on Friday due to financial and other woes worsened by a 2021 ransomware incident (see: Rural Healthcare Provider Closing Due in Part to Attack Woes).

Small and rural hospitals are hit especially hard with cyber skills shortages for multiple reasons, Nate Couture, CISO of the University of Vermont Health Network, told Information Security Media Group.

"The economic reality of small and rural hospitals is that their overall IT teams are likely to be small," he said.

"When small and rural organizations can fund a full- or partial-time employee toward cyber, it will generally be at a much lower compensation rate than other industries," he said.

Healthcare is also not viewed by many candidates as being on the cutting edge of cybersecurity, often due to insufficient funding to invest in the latest capabilities, Couture added.

"This makes it a challenge for small and rural hospitals to hire the skill set that is available on the market."

Also contributing to the workforce issues is the reimbursement model from payers and government programs for patient care services delivered by rural hospitals, said Mike Ward, CIO of Covenant Health, a health system that serves a 23-county area in eastern Tennessee.

"While we are not small nor rural as a system, I have six of nine hospitals that are small/rural, and they greatly rely on 'the system” to provide consolidated services at an economy of scale," he said.

Reimbursement models needs to be adjusted for rural hospitals "with some guidelines on how the money needs to be spent," including on workforce development, Ward added.

About the Author

Marianne Kolbasuk McGee

Marianne Kolbasuk McGee

Executive Editor, HealthcareInfoSecurity, ISMG

McGee is executive editor of Information Security Media Group's media site. She has about 30 years of IT journalism experience, with a focus on healthcare information technology issues for more than 15 years. Before joining ISMG in 2012, she was a reporter at InformationWeek magazine and news site and played a lead role in the launch of InformationWeek's healthcare IT media site.

Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing, you agree to our use of cookies.