Health Care Cybersecurity Resiliency Act Aims to Harden Healthcare Cybersecurity

healthcare cybersecurity update - hipaaguide.net

A bipartisan group of Senators has introduced the Health Care Cybersecurity Resiliency Act of 2024, the aim of which is to help healthcare organizations deal with the increased threat of ransomware attacks and other malicious cyber threats. The bill was introduced by Bill Cassidy (R-LA), Mark Warner (D-VA), John Cornyn (R-TX), and Maggie Hassan (D-NH), all of whom are members of a healthcare cybersecurity working group formed in 2023 in response to the increase in cyberattacks and large healthcare data breaches.

For years the healthcare industry has been targeted by hackers. Healthcare organizations typically have a sprawling attack surface with thousands of IoT and IoMT devices, legacy systems, and complex architectures that are difficult to secure. They often store vast amounts of sensitive and valuable data on which they are heavily reliant. ย Sensitive data is stolen in these attacks, and ransomware attacks lock up systems and data, cause massive disruption, and put patient safety at risk. Successful attacks on healthcare organizations are often highly profitable, and with nation states either condoning these attacks or turning a blind eye to malicious cyber activities, the threat is likely to remain.

To combat attacks, healthcare organizations need better defenses than the minimum cybersecurity standards of the HIPAA Security Rule and need to adhere to the latest cybersecurity best practices, and funds need to be made available to help them make the necessary improvements.ย The Health Care Cybersecurity Resiliency Act seeks to harden cybersecurity defenses by requiring the HHS to update the HIPAA regulations to mandate that HIPAA-covered entities and their business associates must adhere to baseline standards and up-to-date cybersecurity practices, such as implementing multi-factor authentication, encrypting patient data, conducting security audits and penetration tests, and any other cybersecurity requirements deemed necessary by the HHS Secretary. The bill also requires the HHS to implement a cybersecurity incident response plan, to ensure that public and private entities are prepared for cybersecurity incidents and can respond effectively.

The bill also calls for OCR to update its breach portal to display the corrective actions taken against entities that have submitted a breach notification, whether and to what extent recognized security practices had been implemented prior to the breach, and any other relevant information the Secretary may require. The breach reporting obligations have also been clarified by adding โ€œThe number of individuals affected by the breach,โ€ to the reporting requirements of the HITECH Act.ย The Health Care Cybersecurity Resiliency Act calls for closer collaboration between the Cybersecurity and Infrastructure Security Agency (CISA) and the HHS to develop training for healthcare and public health (HPH) sector asset owners and operators to improve cybersecurity literacy and expertise.

Many healthcare organizations lack the necessary funds to improve cybersecurity. The bill calls for assistance to be provided through grants to help underserved communities make the necessary improvements to cyberattack prevention and response, including improved cybersecurity awareness training, the implementation of up-to-date cybersecurity best practices, and improved coordination with federal agencies. Entities eligible to apply for grants include hospitals, cancer centers, rural health clinics, Indian Health Service facilities, academic health centers, and nonprofits that enter into partnerships with eligible entities.โ€

“Cyberattacks on our healthcare systems and organizations not only threaten personal and sensitive information, but can have life-and-death consequences with even the briefest period of interruption,” said Sen. Warner. “Iโ€™m proud to introduce this bipartisan legislation that strengthens our cybersecurity and better protects patients.”

HIPAA
Compliance
Checklist

Simple Guidelines
Immediate PDF Download

Immediate Access

Privacy Policy

Download Free Checklist

About Liam Johnson

Liam Johnson has produced articles about HIPAA for several years. He has extensive experience in healthcare privacy and security. With a deep understanding of the complex legal and regulatory landscape surrounding patient data protection, Liam has dedicated his career to helping organizations navigate the intricacies of HIPAA compliance. Liam focusses on the challenges faced by healthcare providers, insurance companies, and business associates in complying with HIPAA regulations. Liam has been published in leading healthcare publications, including The HIPAA Journal. Liam was appointed Editor-in-Chief of The HIPAA Guide in 2023. Contact Liam via LinkedIn: https://www.linkedin.com/in/liamhipaa/