The American Hospital Association announced its support for legislation requiring CISA to improve cybersecurity for the health sector. (Army)

The American Hospital Association announced its support for the Healthcare Cybersecurity Act, as it would require the Cybersecurity and Infrastructure Security Agency to improve cybersecurity of the healthcare sector through collaboration with the Department of Health and Human Services.

H.R. 8806 was introduced by Reps. Jason Crow, D-Colo., and Brian Fitzpatrick, R-Pa. On Sept. 13, with a supporting bill introduced in the Senate by Sens. Jackie Rosen, D- Nev., and Bill Cassidy, R-La.

The bill comes in response to the increasingly common attacks against the sector, which are driving up healthcare costs and impacting patient safety. Rosen explained the hope is the legislation could “strengthen cybersecurity protections and protect patient information” by taking proactive steps to enhancing threat sharing and improving cybersecurity across the board.

The legislation mandates CISA to conduct a study on cybersecurity risks facing the public health and healthcare sectors, which would address the impact of the “risks on rural entities and small- and medium-sized entities, cybersecurity workforce shortages in the sector, and challenges related to the COVID-19 emergency.”

CISA would also be required to collaborate with HHS on the creation of resources, including cyber-threat indicators and appropriate defense measures to be made available to both federal and nonfederal entities that rely on HHS programs for information, in addition to providing healthcare entities with training on cybersecurity risk and mitigation strategies.

The bill follows a Senate letter sent to HHS last month, seeking an urgent meeting to operationalize collaboration across the healthcare sector to defend against the scourge of ransomware attacks.

In recent months, federal agencies have ramped up efforts to better understand and support HHS with the sector’s ongoing challenges to adhere to the presidential policy directive to build federal partnerships to strengthen critical infrastructure, including the healthcare sector that was deemed to ave unique operating models and risk profiles.

A ‘first step’ to addressing healthcare cybersecurity challenges

The proposal has received overwhelming support from the American Hospital Association, which represents approximately 5,000 member hospitals, health systems and healthcare organizations and more than 270,000 affiliated physicians, 2 million nurses and other caregivers, as well as 43,000 healthcare leaders of professional membership groups.

Noting that hospitals and health systems have made strong progress in defending provider networks, securing patient data, and protecting patient safety, AHA Executive Vice President Stacey Hughes wrote that the bill “takes first steps towards addressing many of the cybersecurity challenges facing hospitals and health systems.”

In particular, the bill is lauded for its focus on collaboration and coordination, as well as the opportunities to address challenges with rural healthcare, medical devices, and cybersecurity workforce shortages.

AHA also supports “the development of coordinated national defensive measures, an expansion of the cybersecurity workforce, disruption of bad actors that target U.S. critical infrastructure, and the utilization of a ‘whole of government’ approach to increasing risk and consequences for those who commit attacks.”

Calling the proposed bill a “step in the right direction for hospitals and healthcare organizations,” Greg Murphy, Ordr president and CEO, notes that government involvement, guidance, and regulation is helpful in “moving the needle from less secure to more secure.” 

However, as seen with the removal of medical device cybersecurity requirements from the FDA user-fee bill, providers should not be waiting for action without taking needed steps to address systemic challenges facing every single healthcare organization. Federal agencies have ramped up targeted threat intelligence for healthcare, while Congress has held multiple committee hearings on the biggest threats and challenges.

But federal efforts take time, and threat actors thrive in that space. As Murphy notes, “Attacks are increasing in frequency every day — and if you are unaware of what devices are connecting to your network, or what vulnerabilities those devices have, then you’re courting danger.”

Entities should be focusing on efforts to gain visibility into their networks and reviewing the vast, freely offered healthcare resources to better understand how to protect their organization.

“There has been a great deal of debate among policy makers and government agencies about how to better regulate connected devices,” said Murphy. “But organizations who wait for these guidelines or requirements to be finalized are putting themselves — and their customers — at risk.”