The American Hospital Association said HHS' plan to levy financial penalties in the event of a cyberattack on a healthcare organization would be counterproductive.
In a Dec. 6 statement, the AHA said it is advocating for the HHS to review its proposal that requires healthcare organizations to be compliant with new cybersecurity requirements and imposes financial penalties for noncompliance.
"The AHA cannot support proposals for mandatory cybersecurity requirements being levied on hospitals as if they were at fault for the success of hackers in perpetrating a crime," AHA President and CEO Rick Pollack said in the statement. "Imposing fines or cutting Medicare payments would diminish hospital resources needed to combat cyber crime and would be counterproductive to our shared goal of preventing cyberattacks."
On Dec. 6 the HHS released a concept paper that outlined a new cybersecurity strategy aimed at enhancing the security of the healthcare sector.
Some of the requirements within the proposed strategy include implementing new cybersecurity standards for hospitals under Medicare and Medicaid, publishing voluntary healthcare-specific cybersecurity performance objectives, collaborating with Congress to establish funding and incentives for domestic hospitals to enhance cybersecurity, creating enforceable cybersecurity standards, and enhancing the coordination role of the HHS' Administration for Strategic Preparedness and Response to serve as a centralized hub for healthcare cybersecurity.
While the AHA endorses HHS' initiative to provide incentives for enhancing cybersecurity and offering funding to assist financially challenged hospitals in covering initial cybersecurity improvement costs, the imposition of financial penalties is something the AHA said it doesn't want to encourage.