US senators Bill Cassidy (R-LA), Mark Warner (D-VA), John Cornyn (R-TX), and Maggie Hassan (D-NH) have introduced a bipartisan bill seeking stronger cybersecurity in the healthcare sector and the protection of health data.
The Health Care Cybersecurity and Resiliency Act of 2024 (PDF) calls for updated Health Insurance Portability and Accountability Act (HIPAA) regulations and for financial aid for low-resourced entities to improve cybersecurity across the healthcare sector.
Per the bill, the Department of Health and Human Services (HHS) will coordinate with the US cybersecurity agency CISA to strengthen the sector’s cybersecurity stance through information sharing and the development of products tailored for healthcare organizations.
The legislation also dictates that the HHS secretary, in coordination with CISA, will provide training to health and public health sector asset owners and operators, promoting cybersecurity literacy and expertise.
Within one year of the bill’s enactment, the HHS secretary will be required to develop and implement a cybersecurity incident response plan ensuring that public and private entities are prepared for and can properly respond to cybersecurity incidents.
Additionally, the bill directs the HHS secretary to promulgate updated regulations requiring entities in the healthcare sector that have experienced cybersecurity incidents to publicly share information on corrective actions and recognized security practices they have adopted.
The Health Care Cybersecurity and Resiliency Act of 2024 also requires that all covered entities and their business partners disclose the number of individuals potentially affected by a cybersecurity incident.
The bill also dictates that rural entities and rural health clinics will be provisioned with guidance on security best practices, and that eligible entities will receive grants enabling them to adopt and use cybersecurity best practices.
“Eligible entities include: hospitals, cancer centers, rural health clinics, health facilities operated by the Indian Health Service, academic health centers, or a nonprofit entity that enters into a partnership with an eligible entity,” reads a section-by-section summary (PDF) of the bill.
The new legislation was introduced in response to an increase in cyberattacks, data breaches, and ransomware incidents across the healthcare sector, some of which caused massive disruptions, impacted millions of individuals’ personal information, and put patients’ lives at risk.
“Cyberattacks on our health care systems and organizations not only threaten personal and sensitive information, but can have life-and-death consequences with even the briefest period of interruption. I’m proud to introduce this bipartisan legislation that strengthens our cybersecurity and better protects patients,” Senator Warner said.
Related: Risk and Regulation: Preparing for the Era of Cybersecurity Compliance
Related: Bill Would Force Period Tracking Apps to Follow Privacy Laws
Related: Experts Analyze Proposed Bill Allowing Private Entities to ‘Hack Back’
Related: Tech Companies Pledge Billions in Cybersecurity Investments