Lawmakers want to create a liaison between the federal cybersecurity agency and the Department of Health and Human Services to allow for better coordination on cyberattacks and more robust threat information sharing.
Reps. Brian Fitzpatrick (R-PA) and Jason Crow (D-CO) introduced the Healthcare Cybersecurity Act this month in the latest attempt by Congress to make headway on better protecting hospitals from cybercriminals and other digital threats.
The bill would:
- Create a formal liaison between the Cybersecurity and Infrastructure Security Agency (CISA) and the Department of Health and Human Services (HHS) to “improve communication, threat analysis, and incident response.”
- Require CISA and HHS to work together on general cybersecurity threats to the healthcare and public health sectors.
- Order both agencies to conduct studies identifying specific cybersecurity vulnerabilities and risks impacting the healthcare sector.
- Make cybersecurity trainings available to hospital workers.
“Cyberattacks on our healthcare system endanger more than data — they put lives at risk. This bipartisan bill takes direct, strategic action: empowering CISA and HHS to coordinate real-time threat sharing, expanding cybersecurity training for providers, and establishing a dedicated liaison to bolster response,” Fitzpatrick said.
“We’re not just responding to attacks — we’re building the infrastructure to prevent them, protect patient privacy, and defend a vital pillar of our national security.”
Sens. Jacky Rosen (D-NV) and Todd Young (R-IN) have introduced a version of the legislation in their chamber.
The bill comes after multiple recent cyber incidents shut down hospitals and forced ambulance diversions, potentially endangering patient lives. One of the largest hospital networks in Ohio took weeks to recover from a ransomware attack that knocked its patient record system offline and forced appointment cancellations. Another hospital network with facilities across the Northeast is still struggling to restore systems brought down by a cyberattack two weeks ago.
Fitzpatrick noted in a statement that these attacks on hospitals also have the downstream effect of leaking some of the most sensitive personal information available about a person.
In 2021, 46 million Americans had data about treatments they received and other information leaked in cyber breaches, he explained. The lawmaker is a member of the Intelligence Committee and the Ways and Means Subcommittee on Health.
More communication, more insights
The new CISA-HHS liaison will be tasked with sharing cyberthreat information between the agencies, raising awareness about cybersecurity risks and implementing trainings that can be shared with healthcare organizations. They also would be the main point of contact during significant incidents or attacks.
CISA and HHS would have to produce a report for Congress detailing the cybersecurity risks associated with specific healthcare products or assets within one year of the act’s passage.
That report would cover the risks facing rural and small hospitals, what challenges hospitals face in protecting devices, what medical devices are least secure and what can be done better to protect electronic health records. Some devices would be designated as “high-risk” based on criteria developed by HHS, CISA and healthcare industry officials. The list of high-risk devices will be provided to Congress and updated frequently.
The report will detail the best responses to data breach or cyberattacks as well as the impact of attacks on the “timeliness of health care delivery, and health outcomes.”
Years in the making
Experts have repeatedly advised lawmakers to do more to bolster healthcare cybersecurity but the healthcare industry has fought efforts to create more regulation.
Mike Hamilton, field CISO at Lumifi Cybersecurity and former CISO of the city of Seattle, noted that the bill is identical to another introduced last year that did not progress through Congress.
Hamilton explained that the legislation appears to be an attempt to “somewhat curb the losses of regulatory oversight from sector risk management agencies — HHS in the case of healthcare — and give it to CISA — stopping short of regulation but using CISA’s budget to assist in identifying (but not making) improvements.”
He said that the bill’s preoccupation with training may be unfounded, considering the issues faced by hospitals are about lack of resources and not skill development.
“HHS and CISA creating a sector specific risk management plan — good, however this simply recreates what government and sector coordinating councils did before they were dialed down,” he added. “They weren’t being produced on schedule anyway, so this clearly backfills an activity that is needed.”
He noted that the bill does not include the real-time monitoring of covered entities or the use of data collected to map out threat activity.
Sen. Mark Warner (D-VA), one of the leading lawmakers who has long pushed for more stringent healthcare cybersecurity protections, recently warned that the government is “seeing rising evidence of cyberattacks against our health care systems.”
“I’ve been raising the alarm about this for years — these novel threats have the potential to kneecap our hospitals and delay lifesaving care, and we need to be ready to face them,” he said.
Recorded Future
Intelligence Cloud.
