Legislation proposed in late 2024 by a bipartisan group in the Senate would introduce broad new requirements that healthcare organizations invest in and better manage cybersecurity risks. Healthcare providers, however, should be more proactive in managing their risk. Here’s what organizations should be focusing on, regardless of whether the bill is passed.
What’s in the proposed bill
In late November, U.S. Senators Bill Cassidy (R-LA), John Cornyn (R-TX), Maggie Hassan (D-NH), and Mark Warner (D-VA) introduced the Health Care Cybersecurity and Resiliency Act of 2024, legislation that the group said would “strengthen cybersecurity in the health care sector and protect American’s health data.” Among other provisions, the proposed bill:
Directs the Department of Health and Human Services (HHS) to coordinate with the Cybersecurity and Infrastructure Security Agency (CISA) to improve cybersecurity in the healthcare sector. The bill requires HHS to develop and implement a cybersecurity industry response plan and update regulations under the Health Insurance Portability and Accountability Act (HIPAA) regarding cybersecurity practices for covered healthcare entities and business associates.
Requires covered healthcare entities and business associates to report information about cybersecurity incidents, including the number of individuals affected and any “corrective actions” taken as a result.
Requires HHS to issue guidance on cybersecurity best practices for rural healthcare entities and permits the department to award grants to hospitals and others to facilitate the adoption of best practices.
Healthcare cybersecurity mindsets shifting
The proposed legislation comes at a time of unprecedented cyber risk for healthcare organizations and patients. Notably, the February 2024 attack against payment processing vendor Change Healthcare put the health information of some 100 million Americans at risk, according to HHS. The breach has spawned dozens of lawsuits against healthcare organizations and prompted greater scrutiny of cybersecurity best practices in healthcare by consumers, legislators, regulators, and insurers, many of which now require that cyber insurance buyers across all industries implement specific controls as a condition of coverage.
The Change Healthcare incident and other recent, large-scale cybersecurity events involving major vendors — with the potential to have ripple effects across the industry — have also prompted a shift in mindsets. While some of these events have been high-profile, many ransomware attacks and data breaches have largely escaped public attention but are top of mind for healthcare industry leaders.
Compared to just 18 months ago, C-suite executives, information security professionals, and others in the healthcare industry are much more keenly aware of their potential risk and the inevitability that their organizations will eventually become victims of such attacks. As such, many organizations have increased their investment in loss prevention services since mid-2023.
If passed, the new legislation would compel healthcare organizations to adopt cybersecurity best practices. Legislation, however, should not be the driving force behind improved cyber hygiene for the industry.
Taking action
The good news for healthcare organizations — including the many nonprofits and privately held organizations with limited cybersecurity expertise and resources — is that existing guidance can offer a path toward improved cyber hygiene. The National Institute of Standards and Technology (NIST) Cybersecurity Framework 2.0 (opens a new window) offers clear directions for all healthcare organizations — regardless of their size or sophistication — to more effectively mitigate their cyber risk.
Specifically, the framework provides resources to help organizations:
Assess their existing cybersecurity posture and identify potential gaps to be filled.
Prioritize actions they must take to mitigate cybersecurity risks in line with their missions and relevant legal and regulatory requirements under HIPAA and other laws.
Communicate with key internal and external stakeholders about cybersecurity risks and plans.
Organizations should also consult with brokers and others to understand what cybersecurity controls underwriters require (opens a new window) before they consider binding cyber insurance coverage and how to implement them. These controls include:
Authentication procedures.
Data backup solutions.
Blocking and filtering solutions.
Phishing training and testing.
End-of-life software.
Endpoint detection and response tools.
Managed detection and response tools.
Security monitoring.
Finally, organizations can work with their brokers and outside consultants to mitigate potential risks from cyber-driven business interruption events (opens a new window), ransomware attacks (opens a new window), and more. A proactive approach to business interruption, for example, requires that healthcare organizations:
Develop effective incident response plans that outline steps for organizations to detect, analyze, and respond to various events. Plans should include criteria for categorizing event types and define key roles and responsibilities for team members/stakeholders.
Secure cyber insurance coverage to mitigate financial losses from a cyber event. Organizations should work with their brokers to optimize terms and conditions and to understand key policy provisions, including those allowing organizations to access legal counsel and relevant expertise, such as forensic accounting firms, that can aid in response and recovery.
Secure and analyze business interruption modeling to assist in forecasting cyber event cost implications. Rather than using peer events, such modeling should be completed using a healthcare organization’s actual exposure data.
For more information and insights, explore our Cyber Business Interruption Playbook (opens a new window) and register for our Jan. 22 webcast on this topic (opens a new window).
