New Senate healthcare cybersecurity bill appears redundant to ongoing mitigation activities, legal expert says

https://qtxasset.com/quartz/qcloud5/media/image/fiercehealthcare/1642709990/shutterstock_1151604152.jpg/shutterstock_1151604152.jpg?VersionId=aZGSZOMBlo0fBe71t9rFPHz_r9kof259

A bipartisan group of Senators introduced a healthcare cybersecurity bill on July 11 to help prevent cyberattacks on healthcare facilities, which the federal government deems as critical infrastructure.

However, a cybersecurity lawyer said the proposals are redundant with actions the administration is already taking to protect healthcare cybersecurity. 

The massive fallout from this year’s Change Healthcare cyberattack has heightened lawmakers’ and regulators’ attention on cybersecurity. The proposed FY2025 Health and Human Services budget even allocates $800 million to cybersecurity after the major disruptions to healthcare billing this year.

The Healthcare Cybersecurity Act was introduced by Sens. Jacky Rosen, D-Nevada, Todd Young, R-Indiana, and Angus King, I-Maine. It was referred to the Committee on Homeland Security and Governmental Affairs. 

“In recent years, hospitals and health care facilities in Indiana have experienced a dramatic increase in cyberattacks. Our bipartisan bill will take critical steps to strengthen cybersecurity infrastructure and better protect patients’ personal data,” Young wrote in a post on X. 

The bill would create a liaison between the Cybersecurity and Infrastructure Security Agency (CISA) and the Department of Health and Human Services that would, among other things, provide technical assistance and best practices to healthcare organizations on cybersecurity. They would also act as the coordinator between HHS and CISA in the event of a healthcare cyberattack. 

The bill also requires a report from the CISA liaison to Congress and a Healthcare- and Public Health Sector-specific plan for cybersecurity. The Secretary of HHS would update the plan to include the biggest cybersecurity risks to small, medium and rural healthcare organizations and an assessment of workforce shortages, within one year. 

The bill would also create a list of high-risk covered assets to be updated biannually.

“Cyberattacks are one of the most pressing concerns for our community health centers, which must direct an increasing share of funds away from patient care towards data security,” Nancy Bowen, Chief Executive Officer of the Nevada Primary Care Association, said in a statement. “The Nevada Primary Care Association appreciates Senator Rosen for introducing the Healthcare Cybersecurity Act to direct federal resources to help keep our systems safe and our health centers focused on their primary mission of providing excellent care.”

Steve Cagle, CEO of healthcare cybersecurity firm Clearwater, says the legislation is redundant.

“I think there’s multiple groups and multiple entities working on similar initiatives … [and] a lot of those were actually happening before the Change Healthcare attack. And one that happened following the Change Healthcare attack was there’s an ongoing effort right now to understand where there is a sector risk and where there are specific vendors or organizations that, like Change, can have a high impact on the rest of the industry,” he said.

He cited President Joe Biden’s April 2024 National Security Memorandum on Critical Infrastructure, Presidential Policy Directive 41, HHS’s 405d program and cybersecurity training already offered by CISA and HHS as some examples of initiatives that accomplish similar things as what the legislation would require. 

Moreover, he said that the Health Sector Coordinating Council’s (HSC) Cybersecurity Task Force is currently conducting a survey on threats to rural healthcare facilities. 

Cagle also said the legislation is an important step towards more meaningful cybersecurity regulation in the country, even if it lacks teeth. 

“The biggest single problem that smaller organizations [and] hospitals have, [is] they don’t have the people, they don’t have the expertise, they don’t have the knowledge. You can tell them all day long, ‘These are the things you have to do,’ and they’re gonna say, ‘I can’t do that. Who’s going to do this? I’ve got 2.5 IT people here [and] no dedicated security people and we’re barely keeping up with everything else,'” he said.

What healthcare cybersecurity needs, Cagle said, is accountability, email protection, vulnerability management, risk analysis and experienced security staff to guide programs. He pointed to legislation in New York that will require healthcare organizations to have chief information officers. 

Cagle also said that making HHS’ voluntary cybersecurity performance goals (CPGs) mandatory would be effective. The CPGs offer specific controls and practices that are reasonable and appropriate, Cagle said. 

“I think the health industry cybersecurity practices guide is the reasonable and appropriate roadmap or way of achieving the cybersecurity performance goals and HHS would agree with that,” Cagle said.

The roadmap links back to the NIST cybersecurity framework and outlines steps for small, medium and large organizations to take to mitigate cybersecurity risks. 

“The practical approach is … let’s get the basic security controls in place. Let’s get risk analysis to find residual risk [and] focus on the high risks,” Cagle explained. “Provide enough resources [for] these small organizations that have never planned for this kind of attack … The current … reimbursement structure just doesn’t give them enough funding to pay for all these things.”

The recent repeal of the Chevron doctrine also makes healthcare cybersecurity regulation more complicated, Cagle said. 

While it’s long been speculated that the CPGs could become mandatory in the falI update to the HIPAA Security Rule, some advocates were discussing separate regulations that could put the standards into effect in a matter of months. It was speculated that cybersecurity standards could be tied to CMS reimbursement.

Cagle said that now, because the Supreme Court’s Chevron decision affects how much leeway federal agencies have to interpret laws, HHS is unlikely to pursue separate regulations for cybersecurity.

More likely is that the CPGs get folded into the fall update to the HIPAA Security Rule, which the agency definitely has the Congressional authority to do. However, the finalization of the updated HIPAA Security Rule could take years, Cagle said.

<<<- Go Back