Stronger Ransomware Protection for Hospitals Needed, says CHIME, AEHIS

The College of Healthcare Information Management Executives (CHIME) and the Association for Executives in Healthcare Information Security (AEHIS) have issued a joint statement calling for stronger protections to be implemented by hospitals in light of the growing ransomware threat.

At a hearing titled “Ransomware: Understanding the Threat and Exploring Solutions,” both organizations agreed that stronger hospital legislation is needed to help healthcare organizations deal with the growing threat from ransomware and other malware.

In the statement, CHIME and AEHIS pointed out that healthcare organizations are being encouraged to improve access to electronic protected health information and make the data immediately available, yet then must also ensure that strict cybersecurity protections are applied. That this is a difficult task.

The move to digital healthcare information has made it easier for protected health information to be compromised or stolen. Since healthcare organizations have transitioned to electronic data formats there has been an increase in cyber threats. The problem for many organizations is there is simply not enough money in budgets to apply the necessary protections to keep ePHI secure.

Hospitals and other healthcare organizations are ill equipped to deal with ever more sophisticated cybersecurity threats. Even large healthcare providers, with large cybersecurity budgets, are unable to prevent malicious actors from gaining access to their networks.

The development of untraceable digital currencies has also made it easier for organizations to be extorted using ransomware.

Both CHIME and AEHIS said that the enforcement of privacy and security laws have been inconsistent. It was pointed out that many organizations have been heavily focused on compliance issues and protecting patient privacy. This has distracted many organizations from protecting their EHRs, networks, and medical devices from attack.

In the case of the latter, since the manufacturers of the devices are not HIPAA covered entities, they are not incorporating the necessary controls to secure their devices. It is often left to the covered entity to ensure appropriate security controls are put in place to keep the devices secure. It was recommended that the healthcare industry works more closely with device manufacturers to improve security, while the FDA should – as part of its approval process – include assurances that the devices have appropriate security controls to ensure they are not an easy entry point into healthcare networks.

CHIME and AEGIS said healthcare organizations must move from a checkbox compliance approach to a proactive policy management process in order to ensure their networks and devices are protected from ransomware and cyberattacks.

Both organizations also made recommendations to the Senate Judiciary Committee Subcommittee on Crime and Terrorism. Both organizations say it is essential to:

Provide a healthcare-specific identification solution – It is important to devalue health data on the black market. Reducing the reliance on SSNs could help in this regard.

Encourage increased cybersecurity spending – Healthcare organizations should receive incentives for improving security.

Make data security a reimbursement factor –  Permit the CMS to apply a similar principle that is used for value-based reimbursement modifiers to organizations investing in cybersecurity measures

Reduce the complexity of regulations – By reducing the complexity of state and federal legislation, healthcare organizations could divert more resources to cybersecurity

Introduce workforce development programs – Develop programs that help healthcare organizations train the workforce on cybersecurity.

Author: Richard Anderson

Richard Anderson is the Editor-in-Chief of