Lawmakers have introduced the Healthcare Cybersecurity Act in the House of Representatives, aiming to enhance protections for healthcare data amid a surge of cyberattacks targeting the industry. The bipartisan bill is spearheaded by Representatives Jason Crow (D-Colo.), Brian Fitzpatrick (R-Pa.), and Andy Kim (D-N.J.).
A Senate companion bill was introduced in July 2024 by Senators Jacky Rosen (D-Nev.), Todd Young (R-Ind.), and Angus King (I-Me.).
The legislation mandates a collaboration between the Cybersecurity and Infrastructure Security Agency (CISA) and the Department of Health and Human Services (HHS) to strengthen cybersecurity within the healthcare sector. It also seeks to make cyber defense resources available to nonfederal healthcare entities.
Lawmakers cited a 2022 HHS Office for Civil Rights (OCR) report showing a 107% rise in data breaches involving unsecured protected health information since 2018.
“Hospitals and health centers are critical parts of our nation’s infrastructure,” said Fitzpatrick. “With the alarming increase in cyberattacks, we must act swiftly to prevent data breaches, rising healthcare costs, and compromised patient care.”
The bill calls for more coordination between CISA and HHS to manage cybersecurity risks. It proposes the appointment of a special liaison within CISA to act as a point of contact with HHS, ensuring better communication and threat sharing during cybersecurity incidents.
If passed, the Healthcare Cybersecurity Act would also require HHS and CISA to submit a report detailing their efforts to improve cybersecurity coordination.
Past collaborations between HHS and CISA include the October 2023 release of a healthcare cybersecurity toolkit, which provides industry-specific resources for managing and mitigating cyber threats. The toolkit combines materials like CISA’s cyber hygiene services and HHS’s Health Industry Cybersecurity Practices.
“The bipartisan Healthcare Cybersecurity Act will play a vital role in protecting patient data, healthcare provider capabilities, and our broader cybersecurity infrastructure,” said King, stressing the need for decisive action in this area.