Today in health, it is cybersecurity funding about to change. My name is bill Russell. I'm a former CIO for a 16 hospital system. And creator this week health set of channels and events dedicated to transform health care. One connection at a time. We want to thank our show sponsors who are investing in developing the next generation of health leaders.

Short tests are decide parlance, certified health, notable and service. Now check them out at this week. health.com/today. All right. Share this podcast with a friend or colleague you said is foundation for daily or weekly discussions. On the topics that are relevant to you and the industry, they can subscribe wherever you listen to podcasts. All right today, we are going to talk about a couple things.

One is To Axios stories. One is disruptive. New wave of ransomware hits, critical infrastructure. We'll hit that. No, we're going to talk about the New York law. And what that means for the rest of healthcare. So let me give you a rundown of the first Axios article, a wave of ransomware attacks, targeting critical infrastructure in recent weeks. Is a stark reminder that the ransomware problem will continue to get worse before it slows down, despite the us government's best efforts. Why it matters in the meantime hackers. We'll keep disrupting critical services at schools, hospitals, financial services, institutions, and more. Driving the news, several critical infrastructure organizations are responding to ransomware attacks this week.

Some hospitals across the U S had to divert ambulances from their emergency rooms. And cancel electric procedures throughout the week due to ransomware attacks. North Texas municipal water district got hit. Ransomware hit fidelity, national financial, and the cybersecurity infrastructure security agency warned right before Thanksgiving that ransomware hackers are still exploiting a vulnerability. And the Citrix product by the numbers so far this year, there've been 317 publicly reported ransomware attacks against healthcare entities.

All that's going to do is tell us how many more attacks cyber funding measures that Biden administration and Congress have implemented such as relatively new state and local cybersecurity grant programs have only just started doling out the allocated dollars. Again, not comprehensive. And law enforcement investigations often takes years to collect enough evidence before they can make arrests. leT's see.

Meanwhile, frustrations is building across the country as more Americans experienced life altering and they talk about. Surgeries that were canceled and patient checkups that were canceled at the hospitals, they talk about. Just some other things that are those seem like more nuisance things than anything. Progress is being made and national law enforcement had several key arrests.

Lawmakers have established new cybersecurity positions in the federal government. Establishing new positions doesn't really do much, but it does give you. A group of people that are going to be focused on this work. And moving it forward. Let's see. Yeah. All right. That's about all I want to share with that story. I want to go over to this New York law though.

Cause this is more interesting to me and I think. Does set up. What could end up being a a precedent that gets repeated by many other states and potentially the federal government. So New York hospitals, cybersecurity rules, could sport spur. Similar mandates. This is also Axios. Let me give you an idea of what this article says.

The idea of mandating that hospitals meet minimum cybersecurity standards is gaining traction, amid scrutiny of mounting attacks. Then I've knocked health systems offline for weeks and up end patient care. Yes. Driving the news, New York governor Kathy HoCo this week proposed the state become the first to require health system to adopt certain cyber defense. Cyber defenses, including preparation. Of response plans for a potential attack, which is hard to believe if they don't already have that.

Their proposal reflects a broader shift. And how cyber attacks and healthcare are viewed as patient safety issue rather than privacy issue, which is a drug that has been being pounded for quite some time. Now. As they increasingly disrupt how and where health systems can provide care attacks and several cases of forced ambulances travel longer in New York, two hospitals last month had to divert patients to other hospitals due to cyber attacks. Between the lines experts to tell actually us, they expect new York's proposal is likely the first of a more cyber mandates to come for hospitals. We understand that the mandates are coming said, Mari. CIVICUS.

Who's been on the show several times. Vice-president of public policy for the college of, for chime. What we've said is that we've just really need some support, especially for those under-resourced providers. At the federal level, the white house has said it is targeting middle of cyber standards for critical infrastructure, including hospitals. HHS department security.

Andrea Palm said the agency isn't ruling out. The idea of trying minimum cybersecurity requirements to payments under federal health programs per Politico. Let's see. Details' New York proposal, part of the statewide initiative. Announced earlier this year to shore up cyber defenses calls for each hospital to securely maintain systems that are designed to support normal operations. All hospitals would need to have a cybersecurity program, designate a chief information security officer and perform risk assessments. The proposed rules also call for establishing protocols like multifactor authentication as well as audit trails. To help detect and quickly respond to cyber events. It's a focus, not only on roles, but certain technology solutions that should be implemented at a minimum from a table stakes perspective. That have been proven to really enforce a strong information security program. Okay.

I get a little antsy when we start to say which technologies, when we start to. Tell people how, instead of what we need this to be protected in this way. Is how you set a policy, not, Hey, you need to implement dual factor authentication because maybe that is the norm today, but it's not the norm in the future. Patient privacy regulations have pushed hospitals with limited it budgets to focus on protecting patient data. From hack hackers, leaving other systems vulnerable said. Healthcare industry policy principle in cybersecurity from clarity. Okay. For example, I can hack your hospital's HVAC and your elevator system in the summertime. And you'll, you will immediately go into emergency triage. It's not just about ransomware anymore. It says a person who's a technology actually oversees that stuff.

So I don't know. New York officials said they're still weighing penalties for noncompliance as they collect public comment. On the proposal until February. If the requirements ultimately go into effect hospitals. Would have one year to come into compliance. Now, if they're going to supply the money. That this makes sense.

If they're going to supply the money and people still don't do it and they still are in noncompliance. Absolutely. If they're not going to supply the money and they're just going to do the stack, this is going to be a challenge. Let me come back to the 500 million. The 500 million is interesting to me.

You're talking about one of 50 states. And you're talking about a problem that is an acute need within healthcare. There are health systems that are making pretty drastic choices on. Do they secure certain aspects? Do they not secure other aspects? The reality is if you leave a hole in the fence, no matter where that hole in the fence is, people can come through.

And if you don't protect the answer to that lateral movement, they can eventually get to everything. Anyway. So to a certain extent you have these weird. False choices being made, oh, we're going to protect this, but not this, or we're going to protect this, but not this. And you leave holes for them to penetrate and get into the system.

Be it the HVAC system or the EHR or the Citrix system or whatever. At the end of the day, most CISOs I'm talking to are essentially saying, look. We're preparing for an incident. And once that incident hits, we want to be able to restore operations in a certain amount of time. we Want to be able to limit the impact and the blast radius if you will, of that incident so that they're only able to impact. Let's just say the HVAC system and not every other system within the health healthcare system. But they're able to restore those services as quickly as possible.

And so there's this holistic approach to looking at not only the penetration and the attack surface and what systems, but also to controlling their ability to impact the entire system and also restore those systems. And as those are just the five pillars. That we were looking at in order to have a comprehensive cybersecurity policy.

So I would want to look at this in more detail, understand what they're talking about. Look at how the allocation of money, how do you apply for that money? How do you get that money? I, if I were a CIO today, I would want to understand this New York law pretty significantly, because I was a CIO in California.

I would expect California to follow suit. Is it a state that is pretty aligned politically? And it is also a state that has a significant amount of healthcare that is under attack. As I've said on the show before. We have a situation where essentially there are aircraft carriers lined up off the coast of New York, Carolina, California, Oregon, Washington, and they are launching attacks. Every day, every minute, every second. And as a federal government, this is one of the things we expect them to do is to not allow carriers to line up on any of our coasts and just launch attacks. That's happening from a cyber security standpoint on a daily basis. This is where the federal government does step in.

This is where federal dollars do get sped. And this is how we protect healthcare and not only healthcare, but also critical services as we move forward. All right. That is the show for today. That's all. Don't forget, share this podcast with a friend or colleague, we would greatly appreciate it. We want to thank our channel sponsors who are investing in our mission to develop the next generation of health leaders. Short test our decide parlance certified health. Notable and 📍 service.

Now, check them out at this week. Health. Dot com slash today. Thanks for listening. That's all for now.