Proposed Healthcare Cybersecurity Act Overview

The US House of Representatives presented a bill in September to safeguard the health information of Americans from cyberattacks. The bipartisan Healthcare Cybersecurity Act was introduced in response to nearly 50 million Americans having their private health information compromised in 2021, a threefold increase in only the previous three years. The average cost of restoring patient data increased by 16% in 2020 compared to 2019 due to these breaches. The cybersecurity act is in addition to expected changes to the HIPAA rules that have been proposed by the Department of Health and Human Services. 

“46 million Americans had their health data breached in 2021 as a result of a cyberattack,” said Rep. Brian Fitzpatrick, R-PA. “The increasing number of attacks on our hospitals and health centers must be addressed. That is why I am proud to join my colleague Rep. Crow to introduce The Healthcare Cybersecurity Act of 2022 which will create new resources for cybersecurity risk training and promote strong cybersecurity measures across our nation’s healthcare systems.”

“Cyberattacks on our hospitals and health centers are becoming increasingly common and they are driving up our healthcare costs,” said Rep. Jason Crow, D-CO. “I’m proud to introduce the bipartisan Healthcare Cybersecurity Act with Rep. Fitzpatrick to protect the American people and their data from these malicious attacks.”

“As hospitals and other healthcare organizations across the United States face an onslaught of cyberattacks, we must take proactive steps to enhance information sharing and improve cybersecurity in the healthcare and public health sector,” said Sen. Jacky Rosen, D-NV. “That’s why I introduced the bipartisan Healthcare Cybersecurity Act in the Senate to strengthen cybersecurity protections and protect patient information, and I am glad to see it introduced on a bipartisan basis in the House of Representatives.”

In order to increase cybersecurity in the healthcare and public health sector, this important legislation instructs the Cybersecurity and Infrastructure Security Agency (CISA) to work with HHS. Because they store a lot of sensitive patient data and are seen as vulnerable targets by bad actors, cyberattacks on these entities are becoming more frequent and severe. For organizations focusing on health, cooperation and information sharing between the public and private sectors are crucial to boosting cyber resilience.

Especially important in rural, small, and midsize healthcare and public-sector systems, CISA would address workforce training, recruitment, and retention concerns in the healthcare cybersecurity field and provide recommendations for how to address them. Additionally, the law would provide healthcare asset owners with cybersecurity training on cybersecurity risks and mitigation techniques.

The Healthcare Cybersecurity Act in particular:

• Demands cooperation between CISA and HHS, including the signing of a contract, in order to enhance cybersecurity in the healthcare and public health sector, as specified by CISA.
• Approves cybersecurity education for asset owners and operators in the healthcare and public health sectors on cybersecurity risks and precautions.
• Requires CISA to conduct a thorough investigation into specific cybersecurity risks affecting the healthcare and public health sectors, including an analysis of how these risks specifically affect health care assets, an assessment of the difficulties these assets face in securing modernized information systems, and an evaluation of relevant cybersecurity workforce shortages.

Critics of the law have pointed out that it does not indicate how these initiatives would be funded, noting  smaller organizations often lack the resources to address cybersecurity risks. However, this act along with the HIPAA Safe Harbor Bill enacted in 2021 does indicate that elected officials are aware of and concerned about the cybersecurity risks in healthcare. 

The first step to addressing risks is to identify them. CompliancePoint has experienced cybersecurity professionals who can tailor a risk assessment to your environment and help you identify and create action plans to address your cybersecurity risks. Contact us at connect@compliancepoint.com to get started.