$1.3 Billion FY25 Federal Budget Request for Health Care Cybersecurity a Good Start

Some big news dropped with the White House announcing its new federal budget request for FY25. Nestled inside the request on page 16 of an HHS document was one especially interesting sentence: “The budget also establishes a $1.3 billion Medicare incentive program to encourage hospitals to adopt essential and enhanced cybersecurity practices.”

BLUF:

• $1.3 billion in Medicare incentives is a good start to make hospitals more resilient to ransomware and other cyber threats by creating a market for good cybersecurity tools and practices. Better cybersecurity practices == more highly available patient care.

• This might help address gaps in historically less cyber-regulated areas, such as pharmaceutical manufacturing, drug compounding, lab testing, and more. Pharma factory floors, lab test service providers, PCR machine manufacturers, genetic sequencer companies, etc. should be hiring OT cybersecurity (not just IT cybersecurity) talent such that your supply chains have verifiable resilience to cyber threats, not just natural disasters.

• The President’s Council of Advisors on Science and Technology (PCAST) published a set of recommendations and policy actions to improve the cyber-physical resilience of critical infrastructure such as health care delivery. Watch the live event online from FDD on Wednesday, March 13.

• The devil will be in the details of how CMS rolls out the incentives, after Congress approves appropriations.

• Still missing are incentives to retire insecure and insecurable legacy medical devices from hospital capital equipment depreciation tables. Cash for clunkers, anyone? Or as Josh Corman said, “it can be difficult to pry old devices out of healthcare’s cold, dead hands.”

• Still missing in general is C-suite level cybersecurity leadership actions at the Joint Commission to meaningfully integrate verifiable cybersecurity practices into hospital accreditation, certification, and verification. Reports and alerts are quaint and don’t add much value beyond what other stakeholders already publish. Maybe use Calibri fonts instead of Aptos for an outdated motif? The Joint Commission needs an infusion of new OT cybersecurity ideas for its central products and services.

TL;DR

Let me opine on why this $1.3 billion is appropriate and necessary to have any hope of improving medical device security and ensuring resilience of health care delivery organizations to cyber threats.

1. The $1.3B carrot will help fix a gaping hole in federal influence on stronger cybersecurity. In the United States, FDA only regulates the manufacture of medical devices, not the use of medical devices in health care delivery. The Joint Commission, in my opinion, continues to certify health care delivery organizations even after egregious cases of health care breaches or ransomware affecting millions of patients. CMS carrots could serve as a procurement-stage incentive to get better cybersecurity architecture deployed in clinical environments.

2. Hospitals struggle to procure cybersecure medical devices and clinical information systems. Luckily the HSCC has published a template on model contract language for hospitals and medical device manufacturers to get better cybersecurity promises from vendors of dubious history who might otherwise ship insecure and insecurable medical devices and clinical information systems. I suspect CMS will use the HSCC model contract language in proposing a set of financial incentives.

3. What are essential and enhanced cybersecurity practices? It’s actually partly defined by HHS, and I’ll be hosting a UCSF-Stanford CERSI-FDA seminar with a spokesperson for the HHS CPG report on March 21. Register for the free event before the seats fill up, and come to the Archimedes Discussion Circle right after.

4. IMHO, the Joint Commission needs a software update. Start by modifying assessments to include (1) how well organizations they know their inventory of medical device assets because you can’t protect what you don’t know you have (this should really be an essential, not enhanced CPG), (2) how carefully procurement contracts require vendors to provide verifiable SBOMs, and (3) how well vendor products and services will remain highly available even if all firewalls are breached and all cloud services are infected with ransomware. Security must be end-to-end and resilient with graceful failures rather than catastrophic system-wide outages, even in the midst of cyberthreats.

5. Devil will be in the details. I’d expect that CMS will be holding town halls and listening sessions from stakeholders to craft triple-creme win-win-win policy so that health care delivery organizations, medical device manufacturers, and vendors are aligned such that patients can expect highly available and trustworthy health care delivery despite endemic cybersecurity risks such as ransomware disabling billions of dollars in Medicare payments today.

The Archimedes UTOT Cybersecurity blog gives CMS three 🌬️ 🌬️ 🌬️’s for blowing winds of positive change to improve health care cybersecurity. We give one 💩 to the Joint Commission for not standing up with meaningful leadership actions on health care cybersecurity after 12 glorious years of panel discussions.

Archimedes Health Care Cybersecurity Week

Want to learn more? Come to the sessions at the Archimedes Health Care Security Week in New Orleans from April 30-May 2, 2024 where participants will learn everything from threat modeling and how to stand up an organization’s security program to the latest and greatest from regulators, manufacturers, and health care delivery organizations on SBOMs, Cybersecurity Performance Goals, legacy devices, AI, and more! We don’t encourage insipid networking at Archimedes, instead we promote meaningful relationship building through tough-love plenaries and interactive social events (Windows 10 End-of-Support Jazz Funeral Costume Contest, anybody?). Let’s make medical device cybersecurity more like the Big Easy by building security in by design rather than trying hopelessly to bolt it on after the fact with false-hope firewalls that never solve your problem. We will also keep an empty chair ready for the Joint Commission.