A key Senate Committee moved to advance legislation that would overhaul cybersecurity practices at the Department of Health and Human Services.
The bipartisan Health Care Cybersecurity and Resiliency Act sailed through the Senate Health, Education and Labor Committee Thursday on a 22-1 vote, with only Sen. Rand Paul, R-Ky., opposing it.
The legislation, sponsored by committee chair Bill Cassidy, R-La., and Sens. Mark Warner, D-Va., John Cornyn, R-Texas and Maggie Hassan, D-NH, would require the Secretary of Health and Human Services to develop a cybersecurity incident response plan for the department and provide it to Congress for review.
It would direct the department to partner with the Cybersecurity and Infrastructure Security Agency on oversight of cybersecurity in the health care and public health sectors, create specific cybersecurity guidance for rural healthcare providers and develop a plan to boost cybersecurity literacy within the healthcare workforce.
Cassidy and other members cited the 2024 Change Healthcare attack as a major driver for the legislation, arguing the incident was emblematic of a sector that is under constant siege from cybercriminals, ransomware actors and nation-states.
“Last year there were more than 730 cyber breaches affecting over 270 million Americans [connected to] Change Healthcare, exposing 190 million people’s data and delaying access to care.” Cassidy said at the opening of the hearing.
Another provision would designate the Administration for Strategic Preparedness and Response at HHS as the Sector Risk Management Agency for the Healthcare and Public Health sectors.
Earlier this month, an HHS official from that office speaking at CyberTalks, presented by CyberScoop, said the Change Healthcare attack took many private and public sector defenders by surprise, underscoring how the compromise of a little-known third-party service provider concentrated within a single sector can still take down wide swaths of industry.
“It wasn’t a hospital, it was a company most people have never heard of and had major impacts on our sector and threatened the liquidity of our entire health care system,” said Charlee Hess, director of the healthcare and public health sector cybersecurity at the Administration for Strategy Preparedness and Response division. “We recovered from that, but we realized there are third-party risks lurking in our health care system, and we don’t even know they’re there. Where are those entities or systems that will have an outsized impact on our sector?”
The bill would update one of the sector’s main data protection laws, the Health Insurance Portability and Accountability Act, to ensure regulated entities use modern cybersecurity practices. It would also establish a new federal grant program to help hospitals, cancer centers, rural health clinics, the Indian Health Service, academic health centers and partnering nonprofit organizations adopt cybersecurity best practices
“Cyberattacks in the health care sector can have a wide range of devastating consequences, from exposing private medical information to disrupting care in ERs – and it can be particularly difficult for medical providers in rural communities with fewer resources to prevent and respond to these attacks,” Hassan said in a statement.
