Getty Images/iStockphoto

How Will Biden’s $1.5 Trillion Spending Bill Impact Healthcare Cybersecurity?

The $1.5 trillion spending bill contains the Strengthening American Cybersecurity Act, which will impact healthcare cybersecurity.

President Biden signed a $1.5 trillion spending bill including legislation that will impact healthcare cybersecurity and critical infrastructure as a whole. The spending bill, which includes aid for Ukraine and keeps the government funded through September, also contained the Strengthening American Cybersecurity Act.

The act requires critical infrastructure entities to report cyber incidents to the US Department of Homeland Security (DHS) within 72 hours of discovery. In addition, entities will be required to report ransomware payments to DHS within 24 hours.

The healthcare and public health (HPH) sector is one of 16 critical infrastructure sectors that will be impacted by the new legislation.

“The term ‘significant cyber incident’ means a cyber incident, or a group of related cyber incidents, that the Secretary determines is likely to result in demonstrable harm to the national security interests, foreign relations, or economy of the United States or to the public confidence, civil liberties, or public health and safety of the people of the United States,” the act stated.

On top of HIPAA Breach Notification Rule requirements, covered entities and business associates will have to keep track of emerging regulations to protect PHI and know when and how to notify government agencies and impacted individuals of a data breach.

The legislation did not specify the specific companies that will be subject to the rule, Bloomberg noted. For healthcare organizations, the determinations of what to report to DHS will depend on the size and scope of the security incident and whether it posed a significant threat to public health on a large scale.

There will likely be a significant learning curve as covered entities and government bodies work to establish new processes for data breach reporting.

The act stemmed from a lack of data and government visibility into cyber incidents in the US. Threat sharing is essential to preventing future incidents, and a lack of visibility could understate the severity of cyber threats across the country.

Cybersecurity and Infrastructure Security Agency (CISA) director Jen Easterly told Bloomberg that the bill would give her agency “the data and visibility we need to help better protect critical infrastructure and businesses across the country from the devastating effects of cyberattacks.” 

“Put plainly, this legislation is a game-changer,” Easterly continued.

CISA, which falls under DHS, will play a major role in collecting and analyzing private sector data incident reports.

“It is clear that, as our nation continues to counter cyber threats and support Ukraine, we need to pass this legislation to provide additional tools to address possible cyber-attacks from adversaries, including the Russian government,” Michigan Senator Gary Peters said in a statement introducing the bill.

“This landmark, bipartisan legislative package will provide our lead cybersecurity agency, CISA, with the information and tools needed to warn of potential cybersecurity threats to critical infrastructure, prepare for widespread impacts, coordinate the government’s efforts, and help victims respond to and recover from online breaches. Our efforts will significantly bolster and modernize federal cybersecurity as new, serious software vulnerabilities continue to be discovered, such as the one in log4j. This combined bill will also ensure that agencies can procure cloud-based technology quickly, while ensuring these systems, and the information they store, are secure.”

Next Steps

Dig Deeper on Cybersecurity strategies