Legislation introduced in the U.S. House of Representatives this month would direct the Cybersecurity and Infrastructure Security Agency to collaborate with Health and Human Services to protect Americans’ healthcare data from cyberattacks.
WHY IT MATTERS
HHS data reported that breaches of healthcare facilities rose 55% in 2020, with nearly one million patients affected monthly.
“Cyberattacks on our hospitals and health centers are becoming increasingly common and they are driving up our healthcare costs,” said Rep. Jason Crow, D-Colo., in an announcement about the bill cosponsored by Rep. Brian Fitzpatrick, R-Pa.
In addition to increased healthcare delivery costs, the congressman’s announcement cites the growing frequency of malicious attacks that ultimately affects patient health outcomes.
The bill and its companion in the Senate introduced by Sen. Jacky Rosen, D-Nev., in March, attests that “collaboration and information sharing between the public and private sectors is essential to increasing cyber resilience for health-focused entities.”
The Healthcare Cybersecurity Act would require CISA and HHS to collaborate by entering into an agreement to improve cybersecurity as defined by CISA.
Within one year of the legislation’s bicameral passage, the Federal cybersecurity agency would complete a detailed study analyzing risks specific to healthcare assets and data, information system security challenges in the sector, and cybersecurity workforce shortages within one year.
CISA would address healthcare cybersecurity workforce training, recruitment and retention issues and make recommendations for how to address them, particularly in rural and small and medium-sized healthcare and public sector systems.
The legislation would also authorize cybersecurity training for healthcare asset owners on cybersecurity risks and mitigation strategies.
Healthcare IT News reached out to Crow’s Washington D.C. office asking about funding for the proposed CISA training. Information was not readily available, but this article will be updated when it is.
Both bills have been referred to their respective committees on homeland security.
THE LARGER TREND
The legislation sponsors point to a nearly threefold increase in sensitive health data breaches over the last three years.
The increase, and the highly-publicized events, have resulted in hospital boards pouring more money into cybersecurity to address care disruptions and protect interoperable electronic health records and other data sources.
Hospitals are adapting to the spike in ransomware by increasing redundancy, with cloud tools and putting bring-your-own-device policies in place to enable care teams to use their devices to communicate over cellular networks when WiFi networks become unavailable, according to Steve Smerz, CISO at Halo Health, a clinical collaboration platform.
“In any case, whether the organization relies on shared devices, BYOD or other mobile device strategies, a clinical collaboration platform enables team members to continue communication in real time to deliver and act on mission-critical information, such as stroke and sepsis alerts,” he told Healthcare IT News a year ago.
Larger healthcare systems are also addressing cyberattack threats with increased training to mitigate the effects of a data breach.
ON THE RECORD
“Forty-six million Americans had their health data breached in 2021 as a result of a cyberattack,” said Fitzpatrick. “The increasing number of attacks on our hospitals and health centers must be addressed.“