New Federal Healthcare Cybersecurity Bill Introduced, CISA Offers Cybersecurity Guidance and Tools

By Beth Pitman and Tayler Chambless


New Federal Healthcare Cybersecurity  Bill Introduced, CISA Offers  Cybersecurity Guidance and Tools

Prompted by growing concerns of Russian cyberthreats on key U.S. infrastructure, the bipartisan Healthcare Cybersecurity Act of 2022 (S.3904) was introduced by U.S. Senators Jacky Rosen (D-NV) and Bill Cassidy, M.D., (R-LA) on March 23, 2022. The Act would direct the Cybersecurity and Infrastructure Security Agency (CISA) to collaborate with the Department of Health and Human Services (HHS) to improve cyber security in the healthcare and public health sector. The establishment of CISA was required by the Cybersecurity Information Sharing Act of 2015 (CISA 2015), and the proposed law does not amend CISA 2015. Instead it appears to strengthen and expand the previously mandated cybersecurity obligations of both agencies, CISA and HHS, to healthcare businesses.

The increasingly malicious cyberattacks experienced by healthcare organizations in recent years have led to data breaches which have increased healthcare delivery costs and, in some instances, affected patient health outcomes. According to the proposed legislation, data reported to HHS shows that in "almost every month in 2020, more than 1,000,000 people were affected by data breaches at healthcare organizations." The bill also states that cyberattacks on healthcare facilities rose by more than half in 2020 and resulted in a 16 percent increase in the average cost of recovering patient records over 2019. Similarly, data from the HHS Office of Civil Rights indicates that "health information breaches have increased since 2016, and in 2020 alone, the Department reported 663 breaches on covered entities . . . affecting more than 500 people, with over 33,000,000 total people affected by health information breaches."

The Healthcare Cybersecurity Act of 2022 would:

Require CISA and HHS to collaborate, including by entering into an agreement to improve cybersecurity in the healthcare and public health sector, as defined by CISA.

Authorize training to healthcare providers on cybersecurity risks and ways to mitigate them.

Require CISA to conduct a detailed study on specific cybersecurity risks facing the healthcare and public health sector, including an analysis of how cybersecurity risks specifically impact healthcare organizations, an evaluation of the challenges healthcare providers face in securing updated information systems, addressing vulnerabilities in medical devices and equipment, and implementing cybersecurity protocols.

Require CISA to assess relevant cybersecurity workforce shortages and provide recommendations for how to address such shortages and issues.

In early March, CISA issued a rare "Shields Up" warning regarding cybersecurity attacks, stating that "every organization - large and small - must be prepared to respond to disruptive cyber activity." To provide quick access to resources for urgent security improvements, CISA has compiled guidance, updates, and free cybersecurity services and tools from government and industry partners on its website. CISA also maintains a Known Exploited Vulnerabilities Catalog, which identifies vendors and products with known exploited cybersecurity vulnerabilities and indicates what actions to take if an organization utilizes such vendors or products (e.g., if you use Adobe Acrobat and Reader be sure to apply pending updates per vendor instructions).

As mandated by CISA 2015, HHS has implemented measures educating and incentivizing healthcare companies to implement cybersecurity practices. HHS established the 405(d) Program and Task Group which, in late 2018, issued Health Industry Cybersecurity Practices (HICP), the Office of the Chief Information Officer and the Health Sector Cybersecurity Coordination Center (HC3). Initially a voluntary guidance document, HICP was redefined as "recognized security practices" in 2021 by the Health Information Technology for Economic and Clinical Health (HITECH) Act. As a result, healthcare providers that have implemented HICP for no less than 12 months prior to the point of an OCR investigation may be entitled to a shortened period of investigation and/or reduced penalties for violations of HITECH and HIPAA. OCR now regularly requests this data as part of post-breach investigations.

HHS and CISA currently provide resources specific to healthcare providers and related businesses. These resources can be found at the agency Health Sector Cybersecurity Coordination Center (HC3) and CISA, and we encourage security officers, compliance officers and directors of IT to subscribe to listserv alerts from HC3 and CISA. Subscription to receive emails is available on the homepage of each agency website.

Beth Pitman is a partner with Waller where she advises healthcare systems and providers as well as healthcare IT businesses. Tayler Chambless, an associate with Waller, assists clients with healthcare operations and regulatory matters.