Bipartisan Senate Bill Seeks to Strengthen Healthcare Cybersecurity
A bipartisan bill has been introduced in the Senate that calls for the Department of Health and Human Services (HHS) to update the HIPAA regulations to strengthen cybersecurity across the healthcare sector and provide grants to help low-resourced healthcare organizations adopt cybersecurity best practices.
The HHS is about to propose an update to the HIPAA Security Rule that will include new cybersecurity requirements. The updated rule is currently under review by the White House, and the HHS Office for Civil Rights (OCR) intends to publish the proposed rule before the end of the year. OCR has not disclosed what new requirements are being proposed, other than stating that the proposed rule includes substantial updates to the HIPAA Security Rule. The fate of the proposed rule will lie with the new administration. President Trump has stated that one of the aims of his administration is to eliminate certain regulations, although there is broad bipartisan support for improving healthcare cybersecurity.
The Health Care Cybersecurity and Resiliency Act of 2024 was introduced by Sen Bill Cassidy (R-LA), ranking member of the Senate Health, Education, Labor, and Pensions (HELP) Committee, Mark Warner (D-VA), John Cornyn (R-TX), and Maggie Hassan (D-NH) and is the result of bipartisan collaboration through a cybersecurity working group established in 2023. The working group was formed in response to increasing cyberattacks and ransomware attacks on the healthcare sector. These attacks cause massive disruption to healthcare operations, resulting in canceled appointments and delays to life-saving care, and put patients’ sensitive health data at risk.
“In an increasingly digital world, it is essential that Americans’ health care data is protected,” said Senator Cornyn. “This commonsense legislation would modernize our health care institutions’ cybersecurity practices, increase agency coordination, and provide tools for rural providers to prevent and respond to cyberattacks.” The Health Care Cybersecurity and Resiliency Act seeks to establish grants to help healthcare organizations improve cyberattack prevention and response and ensure training is provided to healthcare entities on cybersecurity best practices.
Get The FREE
HIPAA Compliance Checklist
Immediate Delivery of Checklist Link To Your Email Address
Please Enter Correct Email Address
Your Privacy Respected
HIPAA Journal Privacy Policy
Best practices will also be provided to rural health clinics and other providers on cyberattack prevention, resilience, and coordination with federal agencies. The bill also calls for better collaboration between the HHS and the Cybersecurity and Infrastructure Security Agency (CISA) to improve the response to cyberattacks in the healthcare and public health sector. The bill requires the HHS Secretary to develop and implement a cybersecurity incident response plan and update the information types displayed on the OCR breach portal.
If passed, the bill would require any corrective actions taken against the regulated entity, the recognized security practices considered (if applicable) during the investigation, and any further information the HHS secretary deems relevant to be publicly shared. The HITECH Act will also be updated to require the disclosure of the number of individuals affected by the breach. The bill also calls for current HIPAA regulations to be modernized, such as requiring HIPAA-regulated entities to adopt cybersecurity best practices, such as multifactor authentication, and for healthcare organizations to conduct penetration tests and audits to ensure their security measures are effective.
The legislation follows an earlier bill – The Health Infrastructure Security and Accountability Act (HISAA) – introduced by Sen. Warner and Sen. Ron Wyden (D-OR) that called for the establishment of new minimum cybersecurity standards for healthcare organizations. HISAA was penned in response to the ransomware attack on Change Healthcare that caused massive disruption for providers and patients across the country and involved the theft of the health information of 100 million Americans.
