New Legislation Aims to Strengthen Healthcare Cybersecurity Within HHS

February 15, 2024 - US Senators Angus King (I-ME) and Marco Rubio (R-FL) introduced the Strengthening Cybersecurity in Health Care Act, aimed at bolstering cybersecurity efforts within HHS.

Specifically, the act would require HHS to perform routine cybersecurity evaluations of its cybersecurity systems and deliver biannual reports on its practices and progress.

“In recent years, several of Maine’s major healthcare providers have been the victims of cyberattacks. This threat to America’s critical infrastructure is real, and could literally mean the difference between life and death — we must take proactive steps to enhance the cybersecurity of our healthcare and public health sectors,” said King, who is also co-chair of the Cybersecurity Solarium Commission and a member of the Senate Armed Services (SASC) and Intelligence Committees (SSCI). 

“The bipartisan Strengthening Cybersecurity in Health Care Act would help ensure that health institutions have the resources to keep patient data safe. As the number of threats continues to grow, consistent evaluations will prove to be a lifeline to the medical community treating our family and friends.”

If passed, the act would require the HHS Office of Inspector General (OIG) to evaluate the cybersecurity practices of HHS via penetration tests and other assessment methods in an effort “to determine how its systems could be compromised or pose a risk to patient data or patient safety.

Every two years, HHS would be required to submit a report to Congress that describes how the Inspector General is using federal funds to carry out the aforementioned assessments and any other additional funding or legislation that may be needed to maintain these evaluations.

“Since the pandemic, we have seen a rise in the number of cyberattacks against our healthcare systems,” Rubio added in the press release. “I am proud to introduce the bipartisan Strengthening Cybersecurity in Health Care Act. This legislation aims to reassure the American people by better safeguarding their sensitive information, ensuring peace of mind during these ever changing times.”

The introduction of this legislation signifies a continued focus among lawmakers and government agencies on healthcare cybersecurity. For example, HHS recently released its long-anticipated cybersecurity performance goals (CPGs), aimed at helping the sector prioritize the implementation of security best practices.

This focus on healthcare cybersecurity has extended to the state level as well. In light of multiple cyberattacks that impacted New Yorkers, New York Governor Kathy Hochul proposed a set of sweeping cybersecurity regulations in November that would apply to hospitals across the state, along with $500 million in funding to help healthcare facilities upgrade their technology systems to meet the requirements of the proposed rules.

As healthcare data breaches continue to threaten the sector, additional government assistance and legislation may be on the horizon.