A new bipartisan bill from Sens. Bill Cassidy, R-La., Maggie Hassan, D-N.H., John Cornyn, R-Texas, and Mark Warner, D-Va., is aiming to bolster cybersecurity in the healthcare sector and safeguard Americans’ health data.
The Health Care Cybersecurity and Resiliency Act of 2024 is a product of the senators’ healthcare cybersecurity working group they launched last year amid a record number of cyberattacks on healthcare entities. According to the Department of Health and Human Services (HHS), over 89 million Americans had their health information breached last year.
“Cyberattacks on our health care sector not only put patients’ sensitive health data at risk but can delay life-saving care,” Sen. Cassidy said in a Nov. 22 press release. “This bipartisan legislation ensures health institutions can safeguard Americans’ health data against increasing cyber threats.”
Notably, the bill would require HHS to update the Health Insurance Portability and Accountability Act (HIPAA) regulations for HIPAA-covered entities and business associates to use modern cybersecurity practices. These include multi-factor authentication, safeguards to encrypt protected health information, and requirements to conduct “audits” such as penetration testing.
The legislation also places a heavy focus on providers in rural communities – which typically cannot afford skilled cybersecurity teams, leaving them more vulnerable to cyberattacks. Specifically, the bill would require HHS to issue guidance for rural health clinics and other providers on cybersecurity breach prevention, resilience, and coordination with Federal agencies.
It also would allow HHS to award grants to eligible health entities to improve cyberattack prevention and response. According to the bill’s text, eligible entities include hospitals, cancer centers, rural health clinics, health facilities operated by the Indian Health Service, academic health centers, or a nonprofit entity that partners with an eligible entity.
The bill also requires the HHS secretary to develop and implement a cybersecurity incident response plan.
Finally, it looks to improve coordination between HHS and the Cybersecurity and Infrastructure Security Agency (CISA) to better respond to cyberattacks in the healthcare sector.
“Cyberattacks on our health care systems and organizations not only threaten personal and sensitive information, but can have life-and-death consequences with even the briefest period of interruption,” Sen. Warner said. “I’m proud to introduce this bipartisan legislation that strengthens our cybersecurity and better protects patients.”
Earlier this year, Sen. Warner and Sen. Ron Wyden, D-Ore., introduced the Health Infrastructure Security and Accountability Act, which would require HHS to develop and implement “tough” minimum cybersecurity standards for the healthcare sector.
The legislation follows calls on Congress to develop minimum cybersecurity standards after a ransomware attack on UnitedHealth’s Change Healthcare unit in February. The cyberattack affected an estimated third of all Americans and halted billing services for providers across the nation.
