What Trump could do for cybersecurity in healthcare

With more than 140 million Americans affected by data breaches involving health data in 2024, hospitals and healthcare organizations are continuing to struggle with cybersecurity.

Hospitals are hoping President Trump will offer more funds for health systems for cybersecurity, and some analysts suggest that could happen.

Hospitals have said the government needs to offer more funding to help health systems repel more attacks. At the same time, President Donald Trump says he’s looking to cut spending wherever possible, with his Department of Governmental Efficiency tasked with finding places to save money.

Even so, some analysts are expecting that cybersecurity could be one area where Trump is willing to boost investments of federal funds.

Ash Shehata, KPMG’s U.S. sector leader for healthcare, told Chief Healthcare Executive® that he thinks it’s possible that Trump will spend more money to help healthcare organizations and other key infrastructure improve their cybersecurity. It would fit in with his stated focus to improve national security.

“They're looking at securing the physical environment and the borders of the United States,” Shehata says. “The cybersecurity investment to protect our enterprises and our institutions is just as important.”

• Read more: Cybersecurity panel: How hospitals can protect their patients and their systems

Shehata says that’s an area where he sees more investments, which he says reflects the simple reality that hospitals are going to need more help as they face more attacks. Larger health systems struggle to keep up with cybersecurity, and many smaller hospitals simply don’t have the resources to maintain robust defenses, Shehata says.

“We have a lot of health systems that are safety net hospitals that are barely making it,” he says. “I go to those board meetings, the boards ask me, ‘Ash, well, how are we going to do this? We're barely making it.’”

Healthcare organizations remain prime targets for cyberattacks, Shehata notes. Ransomware gangs can sell private health information. Shehata says hospitals and healthcare providers are going to need more help.

“I think it's going to have to come through a variety of public and private and regulatory actions,” he says.

After the Change Healthcare cyberattack, which disrupted hospitals and other providers nationwide, healthcare leaders implored Congress last spring to put more money toward cybersecurity.

Mari Savickis, head of government relations for the College of Healthcare Information Management Executives, outlined the climate in Washington during a virtual cybersecurity summit Tuesday. She notes that there’s much that’s unclear since Trump just took office Monday and he’s already signed dozens of executive orders.

Trump signed an executive order putting the brakes on new regulations that have not already been approved, and Savickis said that likely delays an anticipated rule on cybersecurity for hospitals.

The Biden administration was on the cusp of unveiling new regulations on cybersecurity requirements for hospitals that could have been tied to participation in Medicare, she notes. But with Trump freezing new regulations for the time being, that policy may not come to pass, she says.

Linking cybersecurity protection to Medicare is “something that most hospitals are adamantly opposed to, and we're opposed to them as well,” Savickis says. “It's very heavy handed.”

Republicans control both the Senate and House of Representatives in the new Congress, and lawmakers have sponsored bills to provide more money for hospitals for cybersecurity. With the new session of Congress underway, lawmakers will have to reintroduce those bills, Savickis says.

U.S. Sen. Bill Cassidy, a Louisiana Republican who is the new chairman of the Senate Health, Education, Labor and Pensions Committee, understands the need to help healthcare organizations with cybersecurity.

“He's been supportive of cybersecurity,” Savickis says.

A physician, Cassidy sponsored a bill that would have imposed greater cybersecurity standards, but didn’t include penalties for hospitals falling short.

The Senate Finance Committee introduced a separate bill that would have provided $800 million to hospitals for cybersecurity. Savickis says the Senate Finance Committee bill would’ve also included penalties for hospitals that fail to meet cybersecurity standards, a sore point for hospitals. Given the thousands of hospitals, she says, “It's a very small sum of money, and there are very heavy penalties.”

The legislation could be reintroduced again in this session, which Savickis says would be a concern because the approach involves using a stick rather than a carrot. “This one may be reintroduced, and so we'll be watching for this one as well and advocating for a more agreeable approach,” she says.

Hospitals and their advocates have pushed for more aid but don’t want to face penalties or fines for breaches. Hospitals have argued they shouldn’t be penalized for being the victims of crimes.

Lisa Kidder Hrobsky, senior vice president of federal relations, advocacy and political affairs for the American Hospital Association, says hospitals are seeking more funding from the Trump administration and Congress in dealing with cybersecurity.

“Certainly we think that any cybersecurity mandates or requirements should have some additional funding for hospitals,” she tells Chief Healthcare Executive®. “Obviously rural hospitals don't have the funding to implement widespread cybersecurity additional regulations on top of what they're already doing now.”

Hospitals are going to face continued threats from cyberattacks, according to analysts such as Moody’s Ratings. In a report issued last week,

“Cyberattacks are an increasing threat with hospitals harvesting sensitive patient data, leading to costly cybersecurity measures to ensure data privacy. A cyber breach that affects operations can also affect lives. Not-for-profit hospitals are at very high cyber risk,” the Moody’s report stated.

Healthcare data breaches remain the most costly of any industry, with the average breach costing organizations more than $9.7 million, according to an analysis by IBM.