Secretary of Health and Human Services Xavier Becerra answers questions at a Senate Health, Education, Labor, and Pensions Committee hearing to discuss reopening schools during COVID-19 at Capitol Hill on Sept. 30, 2021, in Washington. A new bill would put CISA and HHS in charge of evaluating cybersecurity gaps in the healthcare and public health sectors. (Photo by Greg Nash/Pool via Getty Images)

Sens. Jacky Rosen, D-Nev., and Bill Cassidy, R-La., have partnered on a new bill that would pair the Department of Health and Human Services with the Cybersecurity and Infrastructure Security Agency to work on a range of cybersecurity issues affecting the public health sector.

According to a release from Rosen’s office, the bill  (S. 3904) would require CISA and HHS to enter into a collaborative agreement around improving cybersecurity in the healthcare and public health sectors, with CISA ultimately charged with defining what that means.

Part of that process includes a “detailed study on specific cybersecurity risks” facing the sectors and impacting health IT assets, what sort of challenges healthcare facilities face when securing their information systems and how to do so while dealing with a shortage of qualified cybersecurity workers. It will also authorize new trainings for healthcare asset owners and operators on a range of cybersecurity risks and how to mitigate them.

“Hospitals and health centers are part of our critical infrastructure and increasingly the targets of malicious cyberattacks, which can result in data breaches, the cost of care being driven up, and negative patient health outcomes,” said Rosen in a statement. “This bipartisan bill will help strengthen cybersecurity protections and protect lives.”

The actual text of the legislation was not made available and has yet to be uploaded to Congress.gov. SC Media has reached out to Rosen’s office to request a copy.

The legislation would deepen the role played by CISA in healthcare and public health, two critical infrastructure sectors that have been pummeled by ransomware, breaches and related lawsuits over the years. This past year might have been the worst ever, as an analysis by SC Media found that most of the large breaches in the sector in 2021 each individually affected a million patients, with hundreds of additional reported and unreported incidents taking place below that level.

A common root cause for many of the worst breaches: third party providers. Four of the top 10 worst breaches, like the Accellion File Transfer Application hack, a breach of the Florida Healthy Kids Corporation and others, involved attackers sidestepping the security protections of healthcare and public health providers by compromising the trusted third-party service providers they rely on.

That’s an area CISA has extensive expertise with, as entities like the National Risk Management Center were designed to map out software and hardware supply chain vulnerabilities and concepts like the Software Bill of Materials are being pushed to give software developers more transparency and insight into faulty or exploitable code.