Application security, Security Architecture, Supply chain, Risk Assessments/Management, Governance, Risk and Compliance

Senate bill would team up CISA and HHS to improve health cybersecurity

Secretary of Health and Human Services Xavier Becerra answers questions at a Senate Health, Education, Labor, and Pensions Committee hearing to discuss reopening schools during COVID-19 at Capitol Hill on Sept. 30, 2021, in Washington. A new bill would put CISA and HHS in charge of evaluating cybersecurity gaps in the healthcare and public health s...

Sens. Jacky Rosen, D-Nev., and Bill Cassidy, R-La., have partnered on a new bill that would pair the Department of Health and Human Services with the Cybersecurity and Infrastructure Security Agency to work on a range of cybersecurity issues affecting the public health sector.

According to a release from Rosen’s office, the bill  (S. 3904) would require CISA and HHS to enter into a collaborative agreement around improving cybersecurity in the healthcare and public health sectors, with CISA ultimately charged with defining what that means.

Part of that process includes a “detailed study on specific cybersecurity risks” facing the sectors and impacting health IT assets, what sort of challenges healthcare facilities face when securing their information systems and how to do so while dealing with a shortage of qualified cybersecurity workers. It will also authorize new trainings for healthcare asset owners and operators on a range of cybersecurity risks and how to mitigate them.

“Hospitals and health centers are part of our critical infrastructure and increasingly the targets of malicious cyberattacks, which can result in data breaches, the cost of care being driven up, and negative patient health outcomes,” said Rosen in a statement. “This bipartisan bill will help strengthen cybersecurity protections and protect lives.”

The actual text of the legislation was not made available and has yet to be uploaded to Congress.gov. SC Media has reached out to Rosen’s office to request a copy.

The legislation would deepen the role played by CISA in healthcare and public health, two critical infrastructure sectors that have been pummeled by ransomware, breaches and related lawsuits over the years. This past year might have been the worst ever, as an analysis by SC Media found that most of the large breaches in the sector in 2021 each individually affected a million patients, with hundreds of additional reported and unreported incidents taking place below that level.

A common root cause for many of the worst breaches: third party providers. Four of the top 10 worst breaches, like the Accellion File Transfer Application hack, a breach of the Florida Healthy Kids Corporation and others, involved attackers sidestepping the security protections of healthcare and public health providers by compromising the trusted third-party service providers they rely on.

That’s an area CISA has extensive expertise with, as entities like the National Risk Management Center were designed to map out software and hardware supply chain vulnerabilities and concepts like the Software Bill of Materials are being pushed to give software developers more transparency and insight into faulty or exploitable code.

Derek B. Johnson

Derek is a senior editor and reporter at SC Media, where he has spent the past three years providing award-winning coverage of cybersecurity news across the public and private sectors. Prior to that, he was a senior reporter covering cybersecurity policy at Federal Computer Week. Derek has a bachelor’s degree in print journalism from Hofstra University in New York and a master’s degree in public policy from George Mason University in Virginia.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.