Source: www.csoonline.com – Author:
In the wake of ransomware attacks on healthcare providers, US legislators have introduced three competing bills to improve cybersecurity in the industry; none are likely to pass in this session of congress.
Six months after Congressional hearings that promised action on the massive Change Healthcare ransomware attack and data theft, three pieces of proposed legislation to tighten cybersecurity requirements on healthcare providers are waiting to be dealt with.
But Senators have left the proposals too late in the legislative calendar: Experts say the issue will likely only be seriously addressed when the new session of Congress begins next year.
“Legislation is critical to finally bring healthcare cybersecurity requirements to par with other industries,” says Alla Valente, a Forrester Research senior security and risk analyst. “However, given legislative priorities, the chances of it happening any time soon, is slim.”
The latest proposed bill is the Healthcare Cybersecurity and Resiliency Act (S.5390), introduced in the Senate on Nov. 22 by two Republican and two Democrat Senators. It has earned praise from the American Hospital Association (AHA) for not including punitive penalties against institution executives for cybersecurity failures that are proposed in the Health Infrastructure Security and Accountability Act (S.5218).
The other proposed bill is the Healthcare Cybersecurity Act (S.4697).
None of the proposed bills has much of a chance of becoming law before this legislative session ends on Dec. 20. The fact that legislators keep trying shows how hard it is to get a consensus on an issue that both sides of the aisle agree is vital: better protecting healthcare data.
The expectation is that one or more of the three bills will be re-introduced in the new session next year.
John Rigi, the AHA’s national advisor for cybersecurity and risk, said that the lack of agreement between Republicans and Democrats on the cybersecurity issue at this stage is just part of the legislative process.
“It’s not uncommon for various bills to be introduced and then through various [Congressional] committees come to some reconciliation and they all agree which bill should actually go on the floor for a vote,” he said. “The positive thing is that there is in fact legislative attention on the issue and we’ve been able to convince our legislators that this is not just a hospital issue.”
It is also an issue for suppliers to the healthcare industry, including technology suppliers, and a concern for the US federal government too, he said, adding: “It will be very interesting to see in 2025 which provisions of all of these bills comes to some reconciliation.”
Greg Garcia, executive director of the Health Sector Co-ordinating Council’s Cybersecurity Working Group, said in an email that his group looks forward to committee hearings and markups on the proposed bills, “if they get that far next year, to refine the legislation in ways that can offer meaningful healthcare cybersecurity and resilience.”
Under consideration, he said, should be strengthening of existing cybersecurity programs of the federal Health and Human Services Department (HHS), financial and technical support to under-served providers and regulatory accountability of third-party participation in the national critical healthcare infrastructure.
How Change Healthcare became a force for change
According to HHS, personal health information of 100 million individuals was stolen during the February ransomware attack on Change Healthcare. Parent company UnitedHealth Group acknowledged paying a US$22 million ransom.
During Congressional testimony UnitedHealth Group CEO Andrew Witty admitted the attackers used compromised credentials to remotely access a Change Healthcare Citrix portal that wasn’t protected with multi-factor authentication. Having MFA was a UnitedHealth Group requirement for IT services. UnitedHealth bought Change Healthcare in 2022.
The fallout from that attack, and the resulting congressional testimony, gave rise to three separate legislative proposals.
Here’s a brief look at the three proposed bills:
The Healthcare Cybersecurity Act
The 12-page Healthcare Cybersecurity Act (S.4697) was introduced in August and backed by Senators Jacky Rosen (D-Nevada), Todd Young (R-Indiana), and Angus King, an independent Senator from Maine. An identical version was introduced in the House of Representatives.
It asks HHS to work with the US Cybersecurity and Infrastructure Security Agency (CISA) to improve cybersecurity in the healthcare and public health sector by outlining best cybersecurity practices.
CISA would be required to make resources available to Information Sharing and Analysis Organizations (ISACs), health sector co-ordinating councils and non-federal entities that are receiving information shared through programs managed by HSS.
That includes making training available to owners and operators of healthcare facilities on cybersecurity risks and how to mitigate them.
HSS can also identify high risk assets. HHS would also have to create a health sector risk management plan, including covering rural, small and medium-sized institutions, outlining how to secure owned, leased or relied-on IT systems, medical devices, and sensitive patient health records.
The Health Infrastructure Security and Accountability Act
The second proposal is the tougher Health Infrastructure Security and Accountability Act (S.5218), co-sponsored by Democrat Senators Ron Wyden and Mark Warner.
This 49-page bill requires HSS to set minimum security standards for providers, health plans, clearinghouses, and business associates. Hospitals would be required to meet rules set by HSS for enhanced cybersecurity practices that address vulnerabilities to IT infrastructure and patient health information.
They would be required to create a security risk analysis at least annually, document a plan for the rapid resolution of a cybersecurity incident or natural disaster, conduct a stress test on IT systems and provide a written statement signed by the CEO and CIO or equivalent that it is in compliance with security requirements. Covered entities would have to hire an independent auditor to verify compliance.
Failing an audit or failing to file reports could result in a civil fine of up to $5,000 a day for each failure. In addition, a person knowingly filing a report with false information could be convicted of a felony and sentenced to up to 10 years in prison and/or fined up to $1 million.
The bill also proposes Congress set aside $800 million to help organizations adopt essential cybersecurity practices set by HSS for hospitals that need help.
The Health Care Cybersecurity and Resiliency Act
The latest bill, the Health Care Cybersecurity and Resiliency Act (S.5390) was introduced last month by two Democrat and two Republican Senators.
It has some similarities to the other proposed acts — but it doesn’t have criminal penalties for non-compliance. More importantly it explicitly sets out required cybersecurity standards that must be met, including the adoption of multifactor authentication “or a successor technology” for access to IT systems that may have protected information and safeguards to encrypt protected health information. HSS will set regulations with requirements for conducting audits and penetration testing, and “other minimum cybersecurity standards” may be set by HSS in consultation with the private sector.
HSS would also issue guidance to rural hospitals and clinics on best cybersecurity practices. To help them HSS may ward grants.
Healthcare facilities would also have to publicly post some data breach information to an HSS portal including the number of people affected by the breach and any corrective action the institution has taken.
Forrester Research’s Valente says this latest bill “is light on requirements for cybersecurity best practices.” For example, she said, MFA is “table stakes” these days in cybersecurity.
How the legislation would have helped Change Healthcare
The newly proposed legislation wouldn’t have prevented or mitigated the Change Healthcare attack, she added.
Overall, she said, Congress would be better off adopting a stronger New York State regulation that came into effect in October. Covered hospitals must now report any material cybersecurity incident to the New York State Department of Health within 72 hours of discovery.
By Oct. 2, 2025, they have to designate a CISO, implement a cybersecurity program to protect the hospital’s IT systems, the continuity of the hospital’s business and operations from unauthorized access, have policies the limit user access privileges to IT systems with non-public information, encrypt data it holds or transmits. The regulations also specify the cybersecurity program has to mitigate risks from email-based threats. And penetration testing of the hospital’s IT system must be done at least annually.
The new session of Congress starts Jan. 3, 2025.
SUBSCRIBE TO OUR NEWSLETTER
From our editors straight to your inbox
Get started by entering your email address below.
Original Post url: https://www.csoonline.com/article/3625064/future-of-proposed-us-cybersecurity-healthcare-bills-in-doubt.html
Category & Tags: Government, Healthcare Industry, Security – Government, Healthcare Industry, Security
Views: 1