Healthcare
,
Industry Specific
,
Legislation & Litigation
Bill Is Similar to Senate Proposals, But Will Congress Take Action Before Election?
A bipartisan House bill aims to bolster cybersecurity in the healthcare sector by requiring stronger collaboration between CISA and the Department of Health and Human Services. The bill is a companion to nearly identical bipartisan legislation introduced in the Senate in July.
See Also: Enterprise Browser Supporting Healthcare, Cyber Resilience
Lawmakers unveiled the House legislation – the Healthcare Cybersecurity Act – on Thursday. The bill is sponsored by U.S. Reps. Jason Crow, D-Colo.; Brian Fitzpatrick, R-Penn., and Andy Kim, D-N.J.
“Cyberattackers are targeting Americans’ medical data and must be stopped,” Crow said in a statement. The country needs to bolster its cyber defenses to better protect “Americans’ most personal and sensitive information from malicious actors,” he said
The House bill calls for the creation of a liaison within CISA to coordinate with HHS during cybersecurity incidents and to collaborate in supporting healthcare and public health sector entities with cybersecurity training and other related resources.
That proposed training made available by CISA to “owners and operators” of technologies, services and utilities in the healthcare and public health sector includes ways to mitigate security risks to information systems.
The lawmakers pointed to the massive disruption of the healthcare ecosystem earlier this year by the ransomware attack on Change Healthcare, which highlighted “the lack of preparation and training during the recovery process.”
The Senate version of the bill – the Healthcare Cybersecurity Act of 2024, introduced in July by Sens. Jacky Rosen, D-Nev.; Todd Young, R-Ind.; and Angus King, I-Maine – proposes similar actions, including a new liaison within CISA to work with HHS on healthcare sector cybersecurity (see: Bill Calls for CISA, HHS Effort to Boost Health Sector Cyber).
The proposals in both the House and Senate versions of the bills would codify with congressional oversight much of what has been in progress within the cybersecurity organizational structure at HHS in partnership with CISA, some experts said.
“While it is encouraging to see the bipartisan support to address this issue, HHS and CISA have been working toward this common goal for years. Much of what is outlined within this proposed bill is documenting work that is currently underway,” said Kate Pierce, executive director of government affairs at security firm Fortified Health Security.
“Capturing the specifics within legislation would ensure that the upcoming changes in administration will not negatively impact the hard work currently underway,” said Pierce, a former longtime CIO and CISO at a Vermont hospital.
“One thing the sector doesn’t need is more studies and reports created. There is no need for further evaluation. It’s time to put the plan into practice,” she said.
Will Legislation Gain Traction?
The two bills are the latest of a handful of bipartisan congressional efforts in recent years aimed at bolstering cybersecurity in healthcare and public health. So far, most of the other proposals have not advanced far in a Congress that is mostly divided along party lines.
“As close as we are to the election, it may be difficult for either bill to pass,” predicted Malachi Walker, federal security strategist at security firm DomainTools.
“Sen. Rosen’s bill has bipartisan support and a good chance of making it through the Senate, but with more representatives and less outlined bipartisan support in the House, it will be an uphill battle for Rosen’s bill to make it out of committee and for Crow’s bill to get passed at all,” he said.
But others are more optimistic. “The number of members of both houses speaking about cybersecurity has increased dramatically,” said Doug Britton, chief strategy officer at RunSafe Security.
“The requests for information from agencies regarding cyber issues have exploded. And the fallout of failures in this area is clear. I think it could gain traction,” he said.
Pierce offered a similar assessment. “These bills could gain traction in Congress as both parties agree that healthcare cybersecurity is a national risk that needs to be addressed,” she said. “With the uncertainty ahead with the upcoming elections, this is a way to solidify the foundation of a basic cybersecurity program for healthcare specifically.”
The healthcare sector would potentially benefit from any cyber help the government might offer, experts said.
“Healthcare is difficult to secure because financially motivated adversaries, knowing lives are at stake if systems are compromised, see healthcare organizations as groups that will do anything to resume business as quickly as possible,” Walker said.
“If they can compromise an online system, adversaries believe they can get a ransom paid with little resistance,” he said.
“CISA and HHS have a vested interest in learning all they can about the persons or organizations behind domains or IP addresses observed in successful or attempted cyber breaches,” he said.
The proposals in both the Crow and Rosen bills “show signs of a first step in addressing these threats and raising the bar on cybersecurity in the sector,” Walker said.
“Both bills incentivize information sharing, cybersecurity training and education for healthcare owners and operators and outline a risk management plan that is not only specific to the healthcare sector but outlines where specialized support is needed in the public health sector,” he said.
Missing from both bills are mentions of HHS’ cybersecurity performance goals that were released earlier this year. The goals aim to help raise the bar in healthcare data security. HHS had said the CPGs are voluntary, but it has hinted they could become mandates for some healthcare sector entities, such as hospitals (see: Feds Wave Sticks & Carrots at Health Sector to Bolster Cyber).
Another major factor the bills fail to address is funding.
“The lack of funding to support these efforts is one of the crucial elements that appears to be missing,” Pierce said. “Many healthcare entities won’t be able to significantly raise the bar without financial support.”
While cyberattacks on the healthcare and public health sector rise, so do other challenges, she said. “There are too many competing priorities, especially in smaller, rural healthcare organizations, to prioritize cyber defense unless it is required – such as moving the CPGs from voluntary to mandatory – and there is funding to support it,” she said.
HHS’ $1.3 billion FY25 budget proposal is not enough to make a significant impact, “but it is a place to start,” Pierce said.