The healthcare industry has seen an increase in the number of cyberattacks in recent years, and Congress has spent time updating laws that experts say are key to detecting threats before attacks occur.
The Cybersecurity Information Sharing Act of 2015, or the Act considered the CISA, allows organizations scanning cyber threats to share information about potentially bad actors without potential liability before a cyber attack occurs. However, the law is set to expire on September 30th, and experts told Healthcare Brew that without it, the healthcare system would be more vulnerable.
“If information is not shared, it gives the attacker an advantage because no attacker is detected,” said Mike Nelson, vice president of digital trust at cybersecurity firm Digicert. “The unfortunate outcome is that there is less information to be shared, so the attacks are guaranteed to rise.”
Benefits of CISA
If an organization detected a potential cyberattack threat before the law was passed, it may have been hesitant to share that information for fear of legal liability, according to George Pappas, CEO of Healthcare Cybersecurity Compliance Company Intrase Health.
“You really want the party to share (information) before they have a solution,” he said.
What the CISA did was to remove the responsibility component as the organization was protected when sharing information about potentially bad actors.
“Information sharing about cybersecurity is an important aspect of protection,” Nelson said. “For example, if one hospital is hit by ransomware, they can quickly share the method of attack, details of that attack.
What will happen without CISA?
If CISA is allowed to expire at the end of September, hospitals and healthcare organizations will have more successful cyberattacks “because organizations are not ready to respond to those attacks,” said Jon Moore, chief risk officer and SVP of consulting services at healthcare cybersecurity firm Clearwater Security.
Healthcare Brew covers drug development, health startups, the latest technologies, and how it will impact hospitals and providers and keep administrators and providers informed.
Cyberattacks are already a major healthcare problem. The industry was the most cyber threat of all critical infrastructure industries last year, according to the FBI's 2024 Internet Crime Report. That same year, the changes in cyberattacks affected half the US population.
Without CISA, organizations are likely to return to sharing information about potential cyber threats, Nelson said, in order to take note of without the protections provided by the law.
What's coming next
Two Republican senators from South Dakota and Gary Peters, a Michigan Democrat, introduced a bill in April that would extend the CISA for another 10 years.
In a press release of the bill, the round said that the lapse of CISA could “significantly weaken” the cybersecurity ecosystem, “removing critical liability protections in both the defense industry foundation and the critical infrastructure sector, and hindering defence operations.”
While there has been no progress in the bill's advancement, the federal news network reported on August 19 that the House Homeland Security Committee confirmed plans to mark up the bill when Congress returns from its August break.
Since the CISA was passed, the healthcare industry has seen “risqué improvements” to help organizations stay protected from cyber threats, Nelson said.
