Advertisement

Stronger cyber protections in health care targeted in new Senate bill

The bipartisan legislation from four senators is aimed at strengthening providers’ cyber defenses and protecting Americans’ health data.
Listen to this article
0:00
Learn more. This feature uses an automated voice, which may result in occasional errors in pronunciation, tone, or sentiment.
(Getty Images)

Protecting Americans’ health data and strengthening cybersecurity protections throughout the health care sector is the focus of a bill introduced Friday from a bipartisan quartet of Senate lawmakers.

The Health Care Cybersecurity and Resiliency Act of 2024 (S.5390) is the culmination of a yearlong effort from Sens. Bill Cassidy, R-La., Maggie Hassan, D-N.H., John Cornyn, R-Texas, and Mark Warner, D-Va., who formed a working group in November 2023 to examine cyber issues in health care.

Under the umbrella of the Senate Health, Education, Labor and Pensions Committee, the senators aimed to address a staggering stat from the Health and Human Services Department, which found that 89 million Americans’ health information was breached last year, more than twice as many as in 2022.  

“In an increasingly digital world, it is essential that Americans’ health care data is protected,” Cornyn said in a statement. “This commonsense legislation would modernize our health care institutions’ cybersecurity practices, increase agency coordination, and provide tools for rural providers to prevent and respond to cyberattacks.” 

Advertisement

Said Cassidy: “Cyberattacks on our health care sector not only put patients’ sensitive health data at risk but can delay life-saving care. This bipartisan legislation ensures health institutions can safeguard Americans’ health data against increasing cyber threats.” 

The legislation starts with improved coordination between HHS and the Cybersecurity and Infrastructure Security Agency, fostering additional communication so that the agencies can better protect against and respond to cyberattacks in the health care sector. 

It also requires the HHS secretary to develop and implement a cyber incident response plan within a year of the bill’s enactment. The directors of CISA, the Office of Management and Budget and the National Institute of Standards and Technology should be consulted in the development of that plan, the bill states.

There’s also a callout to modernize current regulations tied to the Health Insurance Portability and Accountability Act, making sure that covered entities under HIPAA are following best cyber practices. 

Other measures in the bill include the doling out of grants to providers to improve their cyberattack prevention-and-response protocols, delivering training sessions on cyber best practices to health care entities, and supporting rural health clinics through coordination with federal agencies on breach prevention, resilience and other mitigation tactics.

Advertisement

“Cyberattacks in the health care sector can have a wide range of devastating consequences, from exposing private medical information to disrupting care in ERs — and it can be particularly difficult for medical providers in rural communities with fewer resources to prevent and respond to these attacks,” Hassan said in a statement. “Our bipartisan working group came together to develop this legislation based on the most pressing needs for medical providers and patients, and I urge my colleagues to support it.”

Earlier this year, Warner and Sen. Ron Wyden, D-Ore., introduced a bill to create mandatory minimum cybersecurity standards for providers, health plans and connected entities, a response to the February ransomware attack on Change Healthcare, the UnitedHealth Group-owned payment processor. 

The breach impacted a record-high 100 million Americans, and Change Healthcare’s chief information security officer said the company was forced to “start over” with regard to its IT systems.

“Cyberattacks on our health care systems and organizations not only threaten personal and sensitive information, but can have life-and-death consequences with even the briefest period of interruption,” Warner said of the new bill. “I’m proud to introduce this bipartisan legislation that strengthens our cybersecurity and better protects patients.”

Latest Podcasts