House bill proposes a new strategy to protect patient data

The Healthcare Cybersecurity Act of 2022 introduces a CISA-directed collaboration with HHS to tighten healthcare cybersecurity with industry analysis and workforce training.
By Andrea Fox
11:48 AM

Credit: Yuichiro Chino/Getty Images

Update: We heard back from Rep. Crow's office about funding for the bill's provisions, and that information has been added below.

Legislation introduced in the U.S. House of Representatives this month would direct the Cybersecurity and Infrastructure Security Agency to collaborate with Health and Human Services to protect Americans' healthcare data from cyberattacks.

WHY IT MATTERS

HHS data reported that breaches of healthcare facilities rose 55% in 2020, with nearly 1 million patients affected monthly.

"Cyberattacks on our hospitals and health centers are becoming increasingly common and they are driving up our healthcare costs," Rep. Jason Crow, D-Colo., said in an announcement about the bill co-sponsored by Rep. Brian Fitzpatrick, R-Pa.

In addition to increased healthcare delivery costs, the congressman's announcement cites the growing frequency of malicious attacks that ultimately affects patient health outcomes.

The bill and its companion in the Senate introduced by Sen. Jacky Rosen, D-Nev., in March, attests that "collaboration and information sharing between the public and private sectors is essential to increasing cyber resilience for health-focused entities."

The Healthcare Cybersecurity Act would require CISA and HHS to collaborate by entering into an agreement to improve cybersecurity as defined by CISA.

Within one year of the legislation's bicameral passage, the federal cybersecurity agency would complete a detailed study analyzing risks specific to healthcare assets and data, information system security challenges in the sector and cybersecurity workforce shortages within one year. 

CISA would address healthcare cybersecurity workforce training, recruitment and retention issues and make recommendations for how to address them, particularly in rural and small and midsize healthcare and public-sector systems.

The legislation would also authorize cybersecurity training for healthcare asset owners on cybersecurity risks and mitigation strategies. 

Healthcare IT News reached out to Crow's Washington, D.C., office asking about funding for the proposed CISA training. Information was not readily available, but Crow's office later responded by email that Senator Rosen is taking the lead on including funding for this proposal in the Fiscal Year 2023 National Defense Authorization Act. In August, the NDAA was placed on the Senate's legislative calendar. 

Both bills have been referred to their respective committees on homeland security.

THE LARGER TREND

The legislation sponsors point to a nearly threefold increase in sensitive health data breaches over the last three years. 

The increase, and the highly-publicized events, have resulted in hospital boards pouring more money into cybersecurity to address care disruptions and protect interoperable electronic health records and other data sources.

Hospitals are adapting to the spike in ransomware by increasing redundancy, with cloud tools and putting bring-your-own-device policies in place to enable care teams to use their devices to communicate over cellular networks when WiFi networks become unavailable, according to Steve Smerz, CISO at Halo Health, a clinical collaboration platform.

"In any case, whether the organization relies on shared devices, BYOD or other mobile device strategies, a clinical collaboration platform enables team members to continue communication in real time to deliver and act on mission-critical information, such as stroke and sepsis alerts," he told Healthcare IT News a year ago.

Larger healthcare systems are also addressing cyberattack threats with increased training to mitigate the effects of a data breach. 

ON THE RECORD

"Forty-six million Americans had their health data breached in 2021 as a result of a cyberattack," said Fitzpatrick. "The increasing number of attacks on our hospitals and health centers must be addressed."

Andrea Fox is senior editor of Healthcare IT News.
Email: afox@himss.org

Healthcare IT News is a HIMSS publication.

Want to get more stories like this one? Get daily news updates from Healthcare IT News.
Your subscription has been saved.
Something went wrong. Please try again.