Lawmakers introduce Healthcare Cybersecurity Act in House

Lawmakers have introduced the Healthcare Cybersecurity Act in the House of Representatives to bolster protections for healthcare data amid ongoing cyberattacks against the sector. Representatives Jason Crow (D-Colo.), Brian Fitzpatrick (R-Pa.), and Andy Kim (D-N.J.) led efforts to introduce the bipartisan bill.

Senators Jacky Rosen (D-Nev.), Todd Young (R-Ind.), and Angus King (I-Me.) introduced the Senate companion bill in July 2024.

The legislation directs the Cybersecurity and Infrastructure Security Agency (CISA) and HHS to collaborate on improving cybersecurity in the healthcare sector. Additionally, the bill proposes that CISA and HHS make cyberthreat defense resources available to nonfederal entities.

Lawmakers backed up their concerns about healthcare cybersecurity by citing a 2022 report issued by the HHS Office for Civil Rights (OCR) that found that breaches of unsecured protected health information had increased 107% since 2018.

"Hospitals and health centers are fundamental pillars of our nation's infrastructure. With the alarming rise in malicious cyberattacks causing critical data breaches, increased healthcare costs, and jeopardized patient health, we cannot delay action in addressing this issue," Fitzpatrick said.

"By providing new resources for cybersecurity risk training and fortifying our cybersecurity protections nationwide, our bipartisan legislation takes decisive action to safeguard our healthcare systems and protect lives."

With this in mind, lawmakers are pushing for more coordination between CISA and HHS to help healthcare entities manage risks. For example, the bill proposes the appointment of a special liaison to HHS within CISA to increase communication and collaboration during cybersecurity incidents.

The liaison will serve as the primary point of contact for HHS to coordinate cybersecurity issues with CISA and facilitate threat sharing between them.

If passed, the Healthcare Cybersecurity Act will also require HHS and CISA to submit a report that describes the actions taken to improve cybersecurity coordination between the two entities.

HHS and CISA have collaborated in the past on healthcare cybersecurity efforts. For example, in October 2023, HHS and CISA teamed up to release a healthcare cybersecurity toolkit with resources for managing and mitigating cybersecurity risk across the sector.

The toolkit consolidated several industry and government resources, such as CISA's cyber hygiene services, HHS's "Health Industry Cybersecurity Practices" publication, and HHS and the Health Sector Coordinating Council's (HSCC) HPH Sector Cybersecurity Framework Implementation Guide.

The Healthcare Cybersecurity Act would further cement the relationship between HHS and CISA while improving security within the sector.

"These attacks and breaches of data can literally mean the difference between life and death for patients, significantly impact hospital operations, and -- with the average hack costing millions to address -- increase healthcare prices across the board," King stated when the Senate bill was introduced.

"The bipartisan Healthcare Cybersecurity Act will take important steps toward protecting patients' data and healthcare provider capabilities, and bolstering our cybersecurity infrastructure and response."

Jill McKeon has covered healthcare cybersecurity and privacy news since 2021.