Amid warnings of potential Russian cyberattacks, new Senate bill directs CISA, HHS to shore up digital defenses

A bipartisan bill introduced Wednesday in the Senate aims to shore up the healthcare industry’s cyber defenses shortly after White House warnings of potential Russian cyberattacks.

The so-called Healthcare Cybersecurity Act would direct the Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency (CISA) and the Department of Health and Human Services (HHS) to work side by side on bolstering cybersecurity readiness among healthcare and public health organizations, according to statements from its co-sponsors.

Additionally, the bill would authorize cybersecurity training to healthcare and public health asset owners and operators as well as task CISA with conducting a new study on cybersecurity risks in these sectors.

“Health centers save lives and hold a lot of sensitive, personal information. This makes them a prime target for cyberattacks,” Sen. Bill Cassidy, M.D., R-Louisiana, a co-sponsor of the bill, said in a statement. “This bill protects patients’ data and public health by strengthening our resilience to cyber warfare.”

Announcements from Cassidy and fellow co-sponsor Jacky Rosen, D-Nevada, cited a recent Politico analysis of HHS data that found over 46 million people in the U.S. had their health data breached last year, representing a threefold increase in three years.

Another report published earlier this year by cybersecurity company Critical Insights placed that number at 45 million but specifically noted that health plans and outpatient/specialty clinics saw a respective 35% and 41% increase in attack frequency from 2020 to 2021.

Longstanding calls for greater digital defenses were reiterated Monday by the White House, which cited “evolving intelligence” that the Russian government “is exploring options for potential cyberattacks” as a response to Western allies’ economic sanctions. The administration said CISA has already been working with “critical infrastructure” organizations to prepare for and mitigate a potential attack.

“In light of the threat of Russian cyberattacks, we must take proactive steps to enhance the cybersecurity of our healthcare and public health entities,” Rosen said in a statement on the new bill. “Hospitals and health centers are part of our critical infrastructure and increasingly the targets of malicious cyberattacks, which can result in data breaches, the cost of care being driven up, and negative patient health outcomes. This bipartisan bill will help strengthen cybersecurity protections and protect lives.”

Rosen’s announcement was accompanied by applause from healthcare providers including Renown Health and University Medical Center of Southern Nevada (UMC), the latter of which informed HHS of a ransomware attack estimated to have affected up to 1.3 million people.

“UMC supports the Healthcare Cybersecurity Act to further protect our patients’ private health care information,” UMC CEO Mason Van Houweling said in a statement. “As a recent victim of a cybersecurity attack, we understand the importance of collaborating with various agencies to safeguard valuable information through education, mitigation and additional resources.”