The case for Financial Penalties in Healthcare Cybersecurity: Holding Hospitals Accountable

Written By L Trotter II

In the complex world of healthcare, the recent opposition by the American Hospital Association (AHA) to the Department of Health and Human Services’ (HHS) proposal has sparked a critical debate. This blog delves into why imposing financial penalties on hospitals for cybersecurity failures, contrary to the AHA's stance, could be a transformative step for the healthcare industry.

Consider this: In an industry where a breach can mean compromising sensitive patient data, cybersecurity is as vital as patient health itself. Financial penalties, viewed by some as punitive, can actually serve as a powerful catalyst for change. For example, the financial repercussions for non-compliance after the 2008 financial crisis led to a considerable increase in compliance costs.

Historically, the absence of stringent penalties has led to a somewhat complacent attitude towards cybersecurity. Research indicates that despite being a prime target for cybercriminals, the healthcare sector often underinvests in cybersecurity. This underinvestment, possibly due to the lack of severe repercussions, allows healthcare entities to deprioritize essential cybersecurity initiatives.

While advocating for these penalties, it's crucial to strike a balance between accountability and support. Under-resourced hospitals, for instance, require federal assistance to build strong cybersecurity infrastructures. The HHS's proposal to introduce upfront investments for these hospitals is a commendable step. Such measures, paired with financial penalties, could forge a more accountable and resilient cybersecurity ecosystem in healthcare.

It's important to address the AHA’s concerns regarding penalizing hospitals post-cyberattack, especially when many attacks are sophisticated and state-sponsored. The design of these penalties should be preventive and corrective, not merely punitive. They should encourage proactive measures and continuous improvement in cybersecurity postures.

The introduction of financial penalties for non-compliance in the healthcare sector is a pivotal move towards more secure ecosystems. By holding hospitals accountable and simultaneously providing them with necessary resources and support, the healthcare industry can better shield itself against the evolving landscape of cyber threats. The goal is not to punish, but to propel the industry towards better practices, safeguarding the safety and privacy of patient data. As we navigate this complex issue, it’s time for us to come to the reality that money motivates action.

L Trotter II

As Founder and CEO of Inherent Security, Larry Trotter II is responsible for defining the mission and vision of the company, ensuring execution aligns with the business purpose. Larry has transformed Inherent Security from a consultancy to a cybersecurity company through partnerships and expert acquisitions. Today the company leverages its healthcare and government expertise to accelerate compliance operation for clients.

Larry has provided services for 12 years across the private industry developing security strategies and managing security operations for Fortune 500 companies and healthcare organizations. He is influential business leader who can demonstrate the value proposition of security and its direct link to customers.

Larry graduated from Old Dominion University with a bachelor’s degree in Business Administration with a focus on IT and Networking. Larry has accumulated certifications such as the CISM, ISO27001 Lead Implementer, GCIA and others. He serves on the Board of Directors for the MIT Enterprise Forum DC and Baltimore.

https://www.inherentsecurity.com
Previous

What Healthcare AI looks like to the Biden Administration
Next

The Misplaced Hope in AI for Healthcare Cybersecurity