Senators Introduce Healthcare Cybersecurity Act

March 28, 2022 - Senators Bill Cassidy (R-LA) and Jacky Rosen (D-NV) introduced the bipartisan Healthcare Cybersecurity Act (S.3904), shortly after President Biden warned all critical infrastructure sectors to harden their cyber defenses to safeguard against potential Russian cyberattacks.

“Healthcare and Public Health Sector assets are increasingly the targets of malicious cyberattacks, which result not only in data breaches, but also increased healthcare delivery costs, and can ultimately affect patient health outcomes,” the bill began.

The act aims to strengthen healthcare cybersecurity by partnering the Cybersecurity and Infrastructure Security Agency (CISA) with HHS. Specifically, the act would require CISA and HHS to enter into an agreement, as defined by CISA, that would improve cybersecurity in the healthcare and public health sector.

If passed, CISA will work with information sharing organizations and analysis centers to create resources specific to the healthcare sector and to promote threat sharing. The act also supports training efforts for private sector healthcare experts. CISA would be responsible for educating healthcare asset owners and operators on the cybersecurity risks within the sector and ways to manage those risks.

“In light of the threat of Russian cyberattacks, we must take proactive steps to enhance the cybersecurity of our healthcare and public health entities,” Senator Rosen said in a press release.

“This bipartisan bill will help strengthen cybersecurity protections and protect lives.”

The act also mandated that CISA conduct a thorough study on the cybersecurity risks facing the healthcare sector. The study would explore strategies for securing medical devices and electronic health records, and how data breaches impact patient care.

CISA’s study also must address the cybersecurity workforce shortage and provide recommendations for how to address the shortage, particularly in rural care settings. The report must be completed no later than one year after the bill’s enactment.

“Health centers save lives and hold a lot of sensitive, personal information. This makes them a prime target for cyber-attacks,” Senator Cassidy said in the press release.

“This bill protects patients’ data and public health by strengthening our resilience to cyber warfare.”

The Federal Bureau of Investigation’s (FBI) 2021 Internet Crime Report revealed that the healthcare sector faced the most ransomware attacks in 2021 compared to any other critical infrastructure sector. The FBI’s Internet Crime Complaint Center (IC3) received 148 complaints of healthcare ransomware attacks. The next-highest number came from the finance sector, with just 89 complaints.

The IC3 also observed a 7 percent increase in total internet crime complaints in 2021 compared to 2020.  

Cyberattacks against critical infrastructure can upend operations and cause supply chain disruptions, as exemplified by the May 2021 Colonial Pipeline attack. For healthcare, cyber threats can threaten patient safety and privacy.

Today’s sophisticated cyber threat landscape demands collaboration between healthcare entities, threat-sharing organizations, and government agencies.