Fueled by growing concerns of Russian cyber threats to key US infrastructure, the bipartisan Healthcare Cybersecurity Act of 2022(S.3904) was introduced by United States Senators Jacky Rosen (D-NV) and Bill Cassidy, MD, (R-LA) on March 23, 2022. The Act would mandate the Cybersecurity and Infrastructure Security Agency (CISA) collaborate with the Department of Health and Human Services (HHS) to improve cybersecurity in the health and public health sector. The establishment of CISA was required by the Cyber Security Information Exchange Act of 2015 (CISA 2015), and the proposed law does not amend CISA 2015. Instead, it appears to strengthen and expand the previously required cyber security obligations of both agencies, CISA and HHS, for health businesses.
Increasingly malicious cyberattacks experienced by healthcare organizations in recent years have led to data breaches that have increased healthcare costs and, in some cases, affected patient health outcomes. Under the proposed legislation, data reported to HHS shows that “nearly every month in 2020, more than 1,000,000 people were affected by data breaches at health care organizations.” The bill also states that cyberattacks on health care facilities increased by more than half in 2020 and resulted in a 16 percent increase in the average cost of retrieving patient records during 2019. Similarly, data from the HHS Office for Civil Rights indicates that “health information breaches have increased since 2016, and in 2020 alone, the Department reported 663 breaches at covered entities. . . affecting more than 500 people, with more than 33,000,000 people in total affected by health information breaches.”
the Healthcare Cybersecurity Act of 2022 would do:
- Require CISA and HHS to collaborate, including by entering into an agreement to improve cybersecurity in the healthcare and public health sector, as defined by CISA.
- Authorize training for health providers on cybersecurity risks and ways to mitigate them.
- Require CISA to conduct a detailed study on the specific cybersecurity risks facing the healthcare and public health sector, including an analysis of how cybersecurity risks specifically affect healthcare organizations, an assessment of the challenges health care providers face in ensuring up-to-date information systems, addressing vulnerabilities in medical devices and equipment, and implementing cybersecurity protocols.
- Require CISA to assess shortages of relevant cybersecurity personnel and provide recommendations on how to address such shortages and issues.
In early March, CISA issued a rare “Shields Up” warning regarding cybersecurity attacks, stating that “All organizations, large and small, must be prepared to respond to disruptive cyber activity.” To provide quick access to resources for urgent security improvements, CISA has compiled guidance, updates, and free cybersecurity services and tools from government and industry partners on your website. CISA also maintains a Catalog of known exploited vulnerabilitiesthat identifies vendors and products with known exploited cybersecurity vulnerabilities and indicates what actions to take if an organization uses those vendors or products (for example, if you use Adobe Acrobat and Reader, be sure to apply any pending updates according to the vendor’s instructions).
As mandated by CISA 2015, HHS has implemented measures to educate and encourage health care companies to implement cybersecurity practices. HHS established the 405(d) Program and Task Force which, in late 2018, issued Cybersecurity Practices in the Health Industry (HICP), the Office of the Chief Information Officer and the Health Sector Cybersecurity Coordination Center (HC3). Initially a voluntary guidance document, HICP was redefined as “recognized security practices” in 2021 by the Health Information Technology for Economic and Clinical Health (HITECH) Act. As a result, health care providers who have implemented HICP for no less than 12 months prior to the point of an OCR investigation may be entitled to a shorter investigation period and/or reduced penalties for HITECH and HIPAA violations. OCR now regularly requests this data as part of post-breach investigations.
HHS and CISA currently provide specific resources for health care providers and related businesses. These resources can be found at the agency Health Sector Cybersecurity Coordination Center (HC3) and CISA, and we encourage security officers, compliance officers, and IT directors to subscribe to the HC3 and CISA listserv alerts. Subscription to receive emails is available on the home page of each agency’s website.