Senate bill to protect health care data gets House partner
A bipartisan Senate bill aimed at safeguarding Americans’ health care data in the aftermath of the Change Healthcare ransomware attack now has a House companion.
Introduced Wednesday by Reps. Jason Crow, D-Colo., Brian Fitzpatrick, R-Pa., and Andy Kim, D-N.J., the Healthcare Cybersecurity Act would require the Cybersecurity and Infrastructure Security Agency and the Department of Health and Human Services to team up on a variety of measures to strengthen cyber defenses and provide resources to non-federal organizations in the health care space.
“Cyberattackers are targeting Americans’ medical data and must be stopped,” Crow said in a statement. “I’m leading this effort to bolster cyber defenses and protect some of Americans’ most personal and sensitive information from malicious actors.”
The House bill mirrors the upper chamber’s version from Sens. Jacky Rosen, D-Nev., Todd Young, R-Ind., and Angus King, I-Maine, in establishing a CISA liaison to HHS to lead coordination during cyber incidents that impact health systems, with additional support provided as needed.
Calling hospitals and health centers “fundamental pillars” of the country’s infrastructure, Fitzpatrick said in a statement that because of the “alarming rise in malicious cyberattacks causing critical data breaches, increased health care costs, and jeopardized patient health, we cannot delay action in addressing this issue. By providing new resources for cybersecurity risk training and fortifying our cybersecurity protections nationwide, our bipartisan legislation takes decisive action to safeguard our health care systems and protect lives.”
The legislation also has callouts for better information-sharing around cyber threat indicators and the creation of training tools for health system operators. Kim said in a statement that the bill’s goal is to ensure that “providers on the ground have the tools and updated resources they need to protect patients and their information from any future breaches.”
The attack on Change Healthcare — a UnitedHealth Group-owned payment processor whose platform is used by tens of thousands of pharmacies and providers across the country — sparked outrage in Congress over the company’s poor cyber hygiene. Sen. Mark Warner, D-Va., introduced a bill to require health care providers to abide by minimum cybersecurity standards. UnitedHealth ended up paying a $22 million ransom to the ALPHV hacking group.
While the new legislation waits for its day before the House Homeland Security and Energy and Commerce committees, the companion bill last month cleared the Senate Homeland Security and Governmental Affairs Committee and is on deck for a full chamber vote.