Healthcare , Industry Specific , Legislation & Litigation
Bill Calls for CISA, HHS Effort to Boost Health Sector Cyber
Bipartisan Legislation Is Latest Congressional Move to Enhance Healthcare SecurityA bipartisan trio of U.S. senators has introduced legislation aimed at improving healthcare sector cybersecurity by directing the Department of Health and Human Services to collaborate with the Cybersecurity Infrastructure and Security Agency, including creating a CISA liaison to work with HHS.
See Also: The Healthcare CISO’s Guide to Medical IoT Security
The Healthcare Cybersecurity Act of 2024, introduced on Thursday by Sens. Jacky Rosen, D-Nev.; Todd Young, R-Ind.; and Angus King, I-Maine; is the latest of a handful of bipartisan congressional efforts over the last several months aimed at bolstering the healthcare and public health sectors' cybersecurity.
The bill comes on the heels of recent major cyberattacks - especially the February ransomware hit on UnitedHealth Group's Change Healthcare IT services unit, which disrupted critical operations, including patient eligibility checks and claims processing, for thousands of healthcare providers across the nation for many weeks. The company estimated that the resulting data breach affected up to one-third of the American population, or perhaps 100 million individuals.
The ransomware attack on Change Healthcare highlighted a lack of preparation and training during the recovery process, the lawmakers said in a statement.
The bill calls for CISA and HHS to collaborate and study how to improve healthcare sector cybersecurity. It also proposes making resources available to nonfederal entities related to cyberthreat indicators and appropriate defense measures.
The proposed legislation also calls for the creation of a special liaison to HHS within CISA to coordinate during cybersecurity incidents and collaborate to support healthcare and public health sector organizations.
“The healthcare industry is still reeling from recent cyberattacks, and rural and small healthcare entities in Nevada have been particularly affected,” Rosen said in the statement. "It's imperative that we take measures to improve cybersecurity in the healthcare sector to prevent data breaches."
More Urgency Needed
Some experts say the bill is commendable but misses the mark, especially in terms of urgency.
"I appreciate the work Sens. Rosen, King and Young are doing to try to improve cybersecurity in healthcare, but there are more pressing needs," said Errol Weiss, chief security officer at the Health Information Sharing and Analysis Center.
"We don't need another 18 months to study the problem. We already know many healthcare provider organizations are severely under-resourced when it comes to cybersecurity. We see it just about every day in reports of ransomware disrupting hospital operations," he said.
Healthcare providers don't have the budgets to purchase much-needed technology and worse yet, they don't have the funding needed to attract and retain experienced cybersecurity professionals, Weiss said.
"That's what the industry needs now. Resources and investment in technology and staff to adequately protect healthcare providers."
Congressional Oversight
The new bill would codify with congressional oversight much of what is already developing within the cybersecurity organizational structure at HHS in partnership with CISA, said Greg Garcia, executive director of cybersecurity at the Health Sector Coordinating Council, a public-private group that works with HHS and healthcare sector entities.
"It is important for Congress to give concrete direction to the agencies without micromanaging," he said. "This bill seems to do that, giving primary healthcare cybersecurity responsibility and authority to HHS with support from CISA."
The bill proposes that the agencies do essentially what the Biden administration's recent National Security Memorandum 22 says to do: critical healthcare infrastructure mapping, risk assessment and a management plan, Garcia said (see: What's in Biden's Security Memo for the Healthcare Sector?).
"To have this process subject to congressional oversight can give it more routine that matures over time and transcends an executive order of one administration," Garcia said.
"The responsibility of determining what constitutes critical healthcare functions and related risk is the responsibility of HHS rather than CISA."
Other Efforts
King, a co-sponsor of Rosen's proposed legislation, is also co-sponsor of a bill he introduced in early February with Sen. Mark Rubio, R-Fla., before the Change Healthcare attack.
That bill - the Strengthening Cybersecurity in Health Care Act - calls for HHS to biennially conduct cybersecurity reviews and tests on its own IT systems and report to Congress on how it is updating its cybersecurity strategy to keep up with evolving cyberthreats (see: Bipartisan Bill Requires HHS to Bolster Cyber Efforts).
Last November, another bipartisan set of senators - Bill Cassidy, R-La.; Mark Warner, D-Va.; John Cornyn, R-Texas; and Maggie Hassan, D-N.H. - formed a group to examine and propose potential legislative solutions in the Senate Health, Education, Labor and Pensions Committee jurisdiction to strengthen cybersecurity in the healthcare and public health sectors (see: New Bipartisan Senate Group Tackling Healthcare Cybersecurity Bill).
Warner on Friday sent a letter to HHS Secretary Xavier Becerra and Deputy National Security Advisor Anne Neuberger urging the Biden administration to quickly develop and release mandatory minimum cyber standards for the healthcare sector (see: Synnovis Attack Halts 8,000 NHS Patient Procedures So Far).
Whether this latest bill from Rosen, King and Young gains traction is anyone's bet, Garcia said. "In this current political environment, predicting prospects for movement, let alone passage of the bill, is guesswork."