U.S. Senators Angus King (I-ME) and Marco Rubio (R-FL) recently introduced a bill addressing cybersecurity protections and oversight in the healthcare industry. The Strengthening Cybersecurity in Health Care Act, introduced on February 8, 2024, aims to bolster a vulnerable and often-targeted industry against cyberattacks. The proposal follows a number of significant cyberattacks on healthcare organizations in recent years; Senator King noted that approximately 133 million people, or nearly one in three Americans, had their personal information compromised in 2023 alone.

Current Vulnerability of Healthcare Data

While 44 million people were affected by breaches of healthcare information in 2022, that number ballooned in 2023 as hackers and other cybercriminals have grown more sophisticated in their attacks. For example, the country’s largest for-profit hospital system suffered a theft of health data impacting as many as 11 million patients, including patients’ names, addresses, and dates of birth and information on patient service dates, locations, and the dates of upcoming appointments. A November 2023 attack on a multistate hospital system demonstrated that cyberattacks can imperil not just patient information—which is bad enough—but can even result in delayed patient care; elective surgical procedures had to be postponed and ambulances were diverted to other hospitals.

Cybercriminals are not just targeting hospital systems and other healthcare providers. In December 2023, an analytics software vendor suffered a breach during which hackers gained access to a system used by healthcare professionals to help improve patient outcomes. This breach allowed hackers to access the protected health information of more than four million patients. Another software solutions provider suffered a breach of more than 2.5 million records when it was attacked with ransomware. While not a direct attack on healthcare providers, these attacks impacted at least twelve hospitals and health systems.

Proposed Changes

The Strengthening Cybersecurity in Health Care Act would require the United States Department of Health and Human Services (HHS) to perform regular evaluations of data security, including penetration tests into systems housing Medicare patient data. HHS would also be required to provide regular reports of its current cybersecurity practices and their evolution based on the new requirements and to conduct assessments to determine how its systems for processing, transmitting, or storing sensitive data could be compromised or otherwise pose a risk to patient data or patient safety. The Act also mandates HHS submit reports to Congress regarding how the agency is using federal funds to carry out these evaluations and make improvements in its processes.

Next Steps

The proposed Strengthening Cybersecurity in Health Care Act demonstrates the government’s reinforced emphasis on enhancing cybersecurity in healthcare. As part of this push for heightened security measures, HHS has recently introduced a number of cybersecurity performance goals (CPGs) designed to help healthcare organizations prioritize the implementation of high-impact cybersecurity practices.

While currently voluntary, the CPGs represent the first action taken by government agencies. Healthcare organizations should recognize that, while implementing the CPGs is not yet required, some or all of the recommended goals could become mandatory in the future if the government decides to take further action to protect the nation’s health data. Moreover, taking initiative now to implement the CPGs could present a significant advantage for implementing healthcare organizations by positioning them favorably for future regulatory landscapes that may mandate such protocols. Investing in cybersecurity ensures long-term readiness for any government-mandated cybersecurity requirements, while also helping prevent expensive data breaches. Accordingly, healthcare entities are encouraged to proactively integrate these cybersecurity practices not just as a compliance measure, but as part of their broader risk management strategy.

Key Takeaways

Healthcare providers and any organization that uses or accesses healthcare data should closely monitor legislative developments related to healthcare data privacy and security. While organizations should take measures to protect their data on their own initiative, data security and privacy officers will want to ensure their organizations comply with any changing federal or state requirements. With the recent spate of hacks and cyberattacks, the security of healthcare data is a growing emphasis for federal oversight, and revisions to current requirements are likely coming soon.