A bipartisan group of senators are looking to tackle health care cybersecurity by reviving legislation that would update regulations and guidelines, authorize grants, offer training and clarify federal agency roles.
It’s a subset of cybersecurity where Congress hasn’t enacted any sweeping changes to date. The resurrected Health Care Cybersecurity and Resiliency Act from Health, Education Labor and Pension Committee Chairman Bill Cassidy, R-La., and his colleagues on both sides of the aisle emerges from a 2023 bipartisan health care cybersecurity working group.
Cassidy and his cosponsors — Mark Warner, D-Va., Maggie Hassan, D-N.H., and John Cornyn, R-Tex. — first introduced the bill in late November last year, with little time left in the session to take action on it before Congress adjourned at the beginning of 2025.
“Cyberattacks in the health care sector can have a wide range of devastating consequences, from exposing private medical information to disrupting care in ERs — and it can be particularly difficult for medical providers in rural communities with fewer resources to prevent and respond to these attacks,” Hassan said in a news release Thursday.
The legislation aspires to improve coordination between the Department of Health and Human Services and the Cybersecurity and Infrastructure Security Agency, with steps like directing HHS to work with CISA state coordinators to provide training to health care owners and operators.
It would clarify HHS’s responsibilities and give it additional responsibilities, such as directing it to develop a cybersecurity incident response plan. It also requires HHS to update Health Insurance Portability and Accountability Act (HIPAA) regulations for health care identities to use modern cybersecurity practices, issue guidance for rural health clinics on breach prevention.
And it authorizes a five-year grant program at HHS for select health care entities, like academic health and cancer centers, although it doesn’t specify a dollar amount.
Some of those goals are similar to provisions from other health care cybersecurity bills that haven’t become law, some of which emerged after the Change Healthcare ransomware attack that led to the biggest breach of health care data ever reported to federal regulators.
“Patients deserve absolute confidence that their sensitive medical data stored online is protected and shielded from cybersecurity breaches or ransomware attacks,” Cornyn said.