The introduction of the bipartisan Senate bill known as the Healthcare Cybersecurity Act was a response to the Change Healthcare ransomware attack and presently has a partner bill in the House of Representatives. Senators Todd Young (R-IN), Jacky Rosen (D-NV), and Angus King (I-ME) introduced the Senate bill in July 2024, while Representatives Jason Crow (D-CO), Andy Kim (D-NJ) and Brian Fitzpatrick (R-PA) introduced the House bill.
The healthcare sector has become a prime target for cybercriminals who steal sensitive patient information for financial gain, either by selling it or holding it for ransom. A report from the HHS Office for Civil Rights (OCR) revealed a 93% increase in cyber-related healthcare data breaches from 2018 to 2022 and a 107% increase in large data breaches. In 2023, 744 healthcare breaches involving 500 or more records were reported to OCR, affecting over 160 million healthcare records. In the first half of 2024, 466 large healthcare data breaches, including the Change Healthcare ransomware attack, were reported, affecting over 47 million records. The Change Healthcare cyberattack, which may have impacted the data of one-third of Americans, caused widespread disruption to healthcare services, as billing systems were down for months.
The Healthcare Cybersecurity Act intends to reinforce cybersecurity in the healthcare industry. It mandates a joint effort between the Department of Health and Human Services (HHS) and the Cybersecurity and Infrastructure Security Agency (CISA) to bolster cyber defenses by implementing different measures in the healthcare sector. Non-federal healthcare organizations will also gain access to cybersecurity threat defense resources to enhance their protection.
The Act also calls for the creation of a dedicated liaison within CISA to organize cybersecurity efforts with HHS, ensuring seamless communication and threat-sharing during cyber incidents. CISA and HHS are required to send a report to Congress outlining the steps being taken to improve their cybersecurity coordination.
Congressman Crow emphasized the urgency of the situation, stating the need to stop cyber attackers from targeting Americans’ medical data. Congressman Fitzpatrick added that with the growing number of cyberattacks, the bipartisan bill will provide new resources and HIPAA training focused on cybersecurity risk to safeguard healthcare systems and American lives nationwide.
The Senate bill recently passed the Senate Homeland Security and Governmental Affairs Committee with a 10-1 vote and awaits a full Senate vote. The companion bill in the House is currently under review by the Homeland Security and Energy and Commerce committees.
Photo credits: ZeNDaY, AdobeStock.com
