After establishing the Health Care Task Force last year, Sen. Bill Cassidy, Republican of Louisiana and ranking member of the Senate Health, Education, Labor, and Pensions (HELP) Committee, and Mark Warner, Democrat of Virginia, A care working group was established. John Cornyn, Republican of Texas. New Hampshire Democrat Maggie Hassan has introduced the Health Care Cybersecurity and Resilience Act of 2024, a bipartisan bill aimed at strengthening cybersecurity in the health care sector to protect Americans' health data. did.
The Healthcare Cybersecurity and Resilience Act of 2024 would require the Secretary of Health and Human Services (HHS) and the Director of the Cybersecurity and Infrastructure Security Agency (CISA) to coordinate efforts to improve cybersecurity in the healthcare and public health sector. focus on strengthening cybersecurity. We support efforts in the healthcare sector by providing grants to healthcare organizations to improve their prevention and response to cyberattacks and by providing training to healthcare organizations on cybersecurity best practices.
The legislation also supports local communities by providing local clinics and other providers with best practices for cybersecurity breach prevention, resiliency, and coordination with federal agencies. It will also strengthen collaboration between the Department of Health and Human Services and the Cybersecurity and Infrastructure Security Agency (CISA) to improve responses to cyberattacks in the healthcare sector.
It also further updates current regulations to ensure that organizations covered by the Health Insurance Portability and Accountability Act (HIPAA) implement cybersecurity best practices, and directs the Secretary of HHS to develop a cybersecurity incident response plan. and implementation is mandatory.
According to HHS, 89 million Americans will have their health information compromised in 2023, more than double the number in 2022 and an all-time high. These cyberattacks have a severe impact on healthcare operations, costing an average of $10 million per breach and leading to interruptions and long delays in healthcare. . In 2022, hackers in Louisiana compromised approximately 270,000 personal records, including health information.
“Cyberattacks against the healthcare sector not only put patients' sensitive medical data at risk, they can also delay life-saving medical care,” Cassidy said in a media statement. “This bipartisan legislation will help healthcare organizations protect Americans' health data from growing cyber threats.”
“Cyberattacks against our healthcare systems and organizations not only threaten personal and confidential information, but even the slightest disruption can be a matter of life or death. I am proud to introduce this bipartisan bill to protect them,” said Senator Warner.
“In an increasingly digital world, it is imperative that Americans' health data is protected,” said Senator Cornyn. “This common sense legislation would modernize healthcare cybersecurity practices, strengthen government coordination, and provide local healthcare providers with tools to prevent and respond to cyberattacks. Sho.”
“Cyberattacks in the healthcare sector can have a wide range of devastating consequences, from the compromise of personal medical information to the disruption of care in the ER, and for rural healthcare providers with few resources, these It can be particularly difficult to prevent and respond to attacks. “Our bipartisan working group came together to develop this bill based on the most pressing needs for health care providers and patients, and I urge my colleagues to support this bill. ”
The Secretary, through the Assistant Secretary for Preparedness and Response and in collaboration with the Director of CISA, shall oversee and coordinate efforts within HHS to strengthen cybersecurity resiliency in the health care and public health sectors. This includes coordination and communication with both public and private entities regarding cybersecurity incident preparedness and response based on this Act, other relevant laws, and the President's Policy Directive on Critical Infrastructure Security and Resilience. This includes promoting.
The legislation requires the Secretary to develop and implement a comprehensive cybersecurity incident response plan within one year of enactment of the Health Care Cybersecurity and Resiliency Act of 2024. This plan is intended to guide stakeholders within HHS on the steps and procedures necessary to prepare for and respond to cybersecurity incidents. This covers information systems, including hardware, software, databases, and networks, managed by or for the Department.
This plan also includes strategies to assess cybersecurity risks, prevent incidents, detect and identify threats, minimize damage, protect data, and ensure rapid recovery from cybersecurity incidents.
The law also provides that the Secretary must submit the plan to the Senate Health, Education, Labor, and Pensions Committee and the Homeland Security and Governmental Affairs Committee at least 60 days before the date the Secretary begins implementing the plan. I am doing it. A report was submitted to the House Energy and Commerce Committee, Oversight and Reform Committee, and Homeland Security Committee detailing such a plan.
The Secretary shall update the privacy, security, and breach notification regulations to require covered entities and business associates to implement certain cybersecurity practices. These include multi-factor authentication, or its successor technologies, to access information systems that may contain protected health information. We will also implement appropriate safeguards to encrypt your protected health information. Requirements for conducting audits, including penetration testing.
Other minimum cybersecurity standards determined by the Secretary in consultation with private parties are based on a landscape analysis of emerging and existing cybersecurity vulnerabilities and consensus best practices.
Earlier this month, the U.S. General Accounting Office (GAO) identified challenges facing the Department of Health and Human Services (HHS) in meeting its cybersecurity responsibilities. Strengthening HHS leadership could be accomplished by implementing previous recommendations. Cyberattacks against the medical and public health sector have increased rapidly in recent years.
