Hackers commonly target health-care facilities, thanks to the valuable information on their networks as well as their historically lax security practices. Facilities all over the world are vulnerable to attacks like the WannaCry ransomware attack that occurred last month. Last year, a ransomware attack disabled the medical-records system of a Los Angeles Hospital and forced it to transfer patients elsewhere (see “With Hospital Ransomware Infections, the Patients Are at Risk”).

One reason for the problem, according to the task force, is that many smaller facilities simply can’t afford to retain in-house cybersecurity expertise and maintain the necessary technological infrastructure. The group “strongly” recommends that Congress amend the Physician Self-Referral Law and the Anti-Kickback Statute to account for this by allowing more cybersecurity technology sharing between hospitals and their smaller partners.

If Congress doesn’t act, the department of Health and Human Services could pursue new regulations that would make exceptions to these laws. In fact, a model already exists for this. Regulatory exceptions and safe harbor provisions make it legal for hospitals and clinics to donate electronic health records technology to doctors’ offices and other business partners.

These exceptions exist because when hospitals began adopting electronic records in the mid-2000s, many physicians who sent patients to those hospitals could not afford to purchase interoperable technology for their offices. Just like today with cybersecurity, hospitals wanted to be able to buy this technology for them, says Bernadette Broccolo, a health-care attorney at the law firm McDermott Will & Emery.

Clearing the way for hospitals to buy cybersecurity technology for doctors’ offices without the threat of legal trouble would help reduce the overall risk, but it is only one piece of a complicated puzzle that policymakers must solve in order to truly fix health care’s cybersecurity woes. While many of the rules governing cybersecurity in health care are “well-meaning and individually effective,” write the report’s authors, “Taken together they can impose a substantial legal and technical burden on health-care organizations.”