New legislation aims to strengthen healthcare cybersecurity

Lawmakers introduced the Health Care Cybersecurity and Resiliency Act of 2024 with the goal of strengthening healthcare cybersecurity, modernizing HIPAA and improving coordination between HHS and the Cybersecurity and Infrastructure Security Agency.

The Senate bill, jointly introduced by U.S. Senators Bill Cassidy (R-La.), Mark Warner (D-Va.), John Cornyn (R-Texas) and Maggie Hassan (D-N.H.), is the product of a bipartisan Senate healthcare cybersecurity working group that was formed in November 2023.

The group convened with the goal of proposing legislative solutions within the Senate Health, Education, Labor and Pensions Committee to address healthcare cybersecurity challenges.

The proposed legislation directs the HHS secretary to coordinate with the Cybersecurity and Infrastructure Security Agency (CISA) director to improve healthcare cybersecurity. Lawmakers have stressed the importance of improving coordination between HHS and CISA in past legislative proposals, such as the Healthcare Cybersecurity Act, which was introduced in the House in August 2024.

Under the Health Care Cybersecurity and Resiliency Act, HHS and CISA would be required to work together to improve cyberthreat information sharing and strengthen cyberattack response efforts.

The proposed legislation would also require HHS to develop and implement a cybersecurity incident response plan and issue guidance about how it will implement requirements under the Consolidated Appropriations Act of 2021 regarding recognized security practices.

If passed, HHS would also be required to update HIPAA to include "modern, up-to-date cybersecurity practices" for covered entities to comply with.

As previously reported, HHS already submitted proposed updates to the HIPAA Security Rule to the Office of Management and Budget at the White House in October 2024. The proposal is expected to be made public in December 2024.

The Health Care Cybersecurity and Resiliency Act also highlighted rural healthcare cybersecurity challenges. If passed, the act would require HHS to issue guidance for rural entities on breach prevention, coordination with federal agencies and resilience.

The proposal would also allow HHS to award grants to entities for the adoption of cybersecurity best practices and would allow HHS to coordinate with CISA to develop cybersecurity training for the healthcare workforce.

"In an increasingly digital world, it is essential that Americans' health care data is protected," Cornyn stated in a press release.

"This commonsense legislation would modernize our health care institutions' cybersecurity practices, increase agency coordination, and provide tools for rural providers to prevent and respond to cyberattacks." 

Jill McKeon has covered healthcare cybersecurity and privacy news since 2021.