Security News > 2024 > February > Ignore Uncle Sam's 'voluntary' cybersecurity goals for hospitals at your peril
Interview If you are responsible for infosec at a US hospital or other healthcare organization, and you treat the government's new "Voluntary" cybersecurity performance goals as, well, voluntary, you're ignoring the writing on the wall.
"If you buy into the fact that voluntary doesn't mean you have to do something, you are probably going to be wrong. Voluntary goals become mandatory, and that has usually been the case with other rulemaking in healthcare as it relates to security."
In early January, as a record-breaking 46 health networks with a total of 141 hospitals between them were still reeling from ransomware infections and data theft in 2023, rumors started swirling that the White House would soon require US hospitals to meet basic cybersecurity standards before receiving federal funding.
When asked about the hospital rules, the Centers for Medicare and Medicaid Services directed The Register to a concept paper published in December that outlines the Department of Health and Human Services' cybersecurity strategy.
According to the paper [PDF], officials will propose new, enforceable security standards, and will work with Congress to administer financial support and incentives for hospitals to implement "High-impact cybersecurity practices," among other actions.
The essential goals sound like base-level security - the kind of things one would hope that hospitals and clinics already have in place.