After establishing their healthcare working group last year, U.S. Senators Bill Cassidy, a Louisiana Republican and the ranking member of the Senate Health, Education, Labor, and Pensions (HELP) Committee, along with Mark Warner, a Virginia Democrat; John Cornyn, a Texan Republican; and Maggie Hassan, a Democrat from New Hampshire, introduced bipartisan legislation ‘The Health Care Cybersecurity and Resiliency Act of 2024,’ aimed at enhancing cybersecurity within the healthcare sector to safeguard Americans’ health data.
Focused on requiring the Secretary of Health and Human Services (HHS) and the director of the Cybersecurity and Infrastructure Security Agency (CISA) to coordinate to improve cybersecurity in the healthcare and public health sectors, the Health Care Cybersecurity and Resiliency Act of 2024 strengthens cybersecurity in the healthcare sector by providing grants to health entities to improve cyberattack prevention and response and provides training to health entities on cybersecurity best practices.
The legislation also supports rural communities by providing best practices to rural health clinics and other providers on cybersecurity breach prevention, resilience, and coordination with federal agencies; and improves coordination between the Department of Health and Human Services and Cybersecurity and Infrastructure Security Agency (CISA) to better respond to cyberattacks in the healthcare sector.
It also further modernizes current regulations so entities covered under the Health Insurance Portability and Accountability Act (HIPAA) use the best cybersecurity practices, and requires the HHS Secretary to develop and implement a cybersecurity incident response plan.
According to HHS, a record 89 million Americans had their health information breached in 2023, more than double since 2022. These cyberattacks severely impact healthcare operations, costing an average of $10 million per breach and leading to an interruption or long-term delay in care. In 2022 in Louisiana, hackers compromised almost 270,000 personal records, including health information.
“Cyberattacks on our health care sector not only put patients’ sensitive health data at risk but can delay life-saving care,” Cassidy said in a media statement. “This bipartisan legislation ensures health institutions can safeguard Americans’ health data against increasing cyber threats.”
“Cyberattacks on our health care systems and organizations not only threaten personal and sensitive information but can have life-and-death consequences with even the briefest period of interruption. I’m proud to introduce this bipartisan legislation that strengthens our cybersecurity and better protects patients,” said Senator Warner.
“In an increasingly digital world, it is essential that Americans’ health care data is protected,” said Senator Cornyn. “This commonsense legislation would modernize our health care institutions’ cybersecurity practices, increase agency coordination, and provide tools for rural providers to prevent and respond to cyberattacks.”
“Cyberattacks in the healthcare sector can have a wide range of devastating consequences, from exposing private medical information to disrupting care in ERs – and it can be particularly difficult for medical providers in rural communities with fewer resources to prevent and respond to these attacks,” said Senator Hassan. “Our bipartisan working group came together to develop this legislation based on the most pressing needs for medical providers and patients, and I urge my colleagues to support it.”
The Secretary, through the Assistant Secretary for Preparedness and Response and in collaboration with the CISA director, shall oversee and coordinate efforts within the HHS to enhance cybersecurity resilience in the healthcare and public health sector. This includes facilitating coordination and communication with both public and private entities regarding preparedness for and responses to cybersecurity incidents, under this Act, other relevant laws, and Presidential Policy Directives on critical infrastructure security and resilience.
The legislation mandates that within one year of the enactment of the HealthCare Cybersecurity and Resiliency Act of 2024, the Secretary must develop and implement a comprehensive cybersecurity incident response plan. This plan is intended to guide relevant personnel within the HHS on the procedures and protocols necessary to prepare for and address cybersecurity incidents. It will cover information systems, including hardware, software, databases, and networks managed by or for the Department.
The plan will also include strategies for assessing cybersecurity risks, preventing incidents, detecting and identifying threats, minimizing damage, protecting data, and ensuring swift recovery from any cybersecurity incidents.
The legislation also prescribes that not later than 60 days before the date on which the Secretary begins implementing the plan, the Secretary shall submit to the Committee on Health, Education, Labor, and Pensions and the Committee on Homeland Security and Governmental Affairs of the Senate and the Committee on Energy and Commerce, the Committee on Oversight and Reform, and the Committee on Homeland Security of the House of Representatives a report that describes such plan.
The Secretary shall update the privacy, security, and breach notification regulations to require covered entities and business associates to adopt a couple of cybersecurity practices. These include multi-factor authentication, or a successor technology, for access to any information systems that may include protected health information. Also, deploying appropriate safeguards to encrypt protected health information; and requirements to conduct audits, including penetration testing.
Other minimum cybersecurity standards, as determined by the Secretary, in consultation with private sector entities, are based on a landscape analysis of emerging and existing cybersecurity vulnerabilities and consensus-based best practices.
Earlier this month, the U.S. Government Accountability Office (GAO) identified challenges faced by the Department of Health and Human Services (HHS) in fulfilling its cybersecurity responsibilities. Strengthening HHS’s leadership could be achieved by implementing previous recommendations. Cyberattacks on the healthcare and public health sectors have surged in recent years.
link