Legislation & Litigation , Standards, Regulations & Compliance
New Bipartisan Senate Group Tackling Healthcare Cyber Bill
Working Group to Study Proposals Bolstering Healthcare, Public Health CybersecurityMembers of Congress don't agree on much these days. But a new bipartisan working group launched in the Senate on Thursday hopes to rally congressional support for potential legislation focused on improving the state of cybersecurity in the healthcare sector.
See Also: Using the Netskope HIPAA Mapping Guide
Sen. Bill Cassidy, R-La., ranking member of the Senate committee on Health, Education, Labor and Pensions, along with Sens. Mark Warner, D-Va.; John Cornyn, R-Texas; and Maggie Hassan, D-NH; in a joint statement said they have formed the group to examine and propose potential legislative solutions in the HELP Committee jurisdiction to strengthen cybersecurity in the healthcare and public health sector.
Cassidy, one of 19 physicians currently serving in Congress and one of four in the Senate, and Warner, chair of the Senate Select Intelligence Committee, have both been working on efforts aimed at improving healthcare sector cybersecurity.
In September, Cassidy issued a request for information from healthcare industry stakeholders on ways to improve the privacy and security of health data while balancing the need to support medical research (see: US Senate Seeks Input on Ways to Protect Patient Privacy).
"We are seeing a disturbing rise in cyberattacks on our healthcare system. These attacks not only put patients' sensitive health data at risk but can delay life-saving care,” Cassidy said in the joint statement about the task group. “Just like a strong military and police force defends us against physical attacks, we must ensure health institutions can safeguard against increasing cyber threats and protect Americans' crucial health data."
Warner last November issued a white paper seeking public feedback on a variety of policy options to help improve the state of healthcare sector cybersecurity (see: Cybersecurity Is Patient Safety, Says US Senator).
Among the policy issues Warner was examining were potential mandates to apply minimum security practices as standard operating procedure for entities that participate in Medicare, modernizing HIPAA, and developing a “consensus-based" healthcare-specific cybersecurity framework.
"I do fear that we are one major cyber health event away from everybody going, 'Holy heck,' and then, potentially, Congress overreacting," Warner told Information Security Media Group in a February video interview.
At that time, Warner said he was aiming to gather support for new bipartisan legislation sometime this year to incentivize healthcare sector entities to improve their cybersecurity posture and to tackle other top security concerns.
In the working group's joint statement, Warner said that in his role as chair of the Senate Select Committee on Intelligence, he is "acutely aware" of the most serious threats facing the U.S.
"I know that shoring up our cybersecurity is one of the best tools we have to protect ourselves and our sensitive materials," he said. "In no industry is this more obvious and important than healthcare, where such care is increasingly connected and even a brief period of interruption can have life-and-death consequences."
As of Friday, the Department of Health and Human Services' HIPAA Breach Reporting Tool website shows 561 major health data breaches reported so far in 2023. They affect "a record 89 million Americans," more than double since last year, according to the senators' statement. "These cyberattacks severely impact healthcare operations, costing an average of $10 million per breach and leading to an interruption or long-term delay in care," the statement says.
Cassidy, Warner and Cornyn's offices declined Information Security Media Group's requests for further comment. Hassan did not immediately respond to ISMG's requests for comment.
Balancing Act
It is uncertain whether legislation aimed at improving cybersecurity in the healthcare sector would gain widespread bipartisan support in Congress, despite the fact that the issues are serious concerns for many lawmakers, some experts said.
"While I think that the aim of improving healthcare information security is bipartisan, I am not sure that there will be consensus on the best way to do so," said privacy attorney Adam Greene of the law firm Davis Wright Tremaine. "For example, there may not be consensus on whether the best approach is increased regulation and/or increased funding," he said.
As for potential federal provisions that could be most helpful to the healthcare sector in bolstering cybersecurity, lawmakers will need to strike a balance as they consider various sticks and carrots, he said.
"It is increasingly difficult for healthcare providers, especially smaller ones, to keep up with all of the security challenges they are facing," Greene said.
"Congress should temper any new legal mandates with funding methods to make it easier for healthcare providers to improve their security."