US senators propose law to require bare minimum security standards

American hospitals and healthcare organizations would be required to adopt multi-factor authentication (MFA) and other minimum cybersecurity standards under new legislation proposed by a bipartisan group of US senators. 

The Health Care Cybersecurity and Resiliency Act of 2024 [PDF], introduced on Friday by US Senators Bill Cassidy (R-Louisiana), Mark Warner (D-Virginia), John Cornyn (R-Texas), and Maggie Hassan (D-New Hampshire), would, among other things, require better coordination between the Department of Health and Human Services (HHS) and the Cybersecurity and Infrastructure Security Agency (CISA) around cybersecurity in the healthcare and public health sector.

This includes giving HHS a year to implement a cybersecurity incident response plan and update the types of information displayed publicly via the department's breach reporting portal. 

Currently, all healthcare orgs that are considered "covered entities" under the US Health Insurance Portability and Accountability Act (HIPAA) are required to notify HHS if they are breached. The new law would require breached entities to report how many people were affected by the security incident. 

It would also mandate that the portal include details on "any corrective action taken against a covered entity that provided notification of a breach" as well as "recognized security practices that were considered" during the breach investigation, plus any other information that the HHS secretary deems necessary.

While MFA and encryption of protected health information are the only specific infosec practices called out in the proposed legislation, it would require covered entities and their business partners to adopt "other minimum cybersecurity standards" as determined by the HHS secretary. Healthcare orgs would then have to conduct audits, including penetration testing, to ensure that their security processes and protections were up to par.

• Mega US healthcare payments network restores system 9 months after ransomware attack
• Healthcare org Equinox notifies 21K patients and staff of data theft
• Ransomware's ripple effect felt across ERs as patient care suffers
• Trump taps border hawk to head DHS. Will Noem's 'enthusiasm' extend to digital domain?

Some of the other sections in the bill would provide federal training for health-sector owners and operators on cybersecurity best practices, grants to help providers improve their security posture, and additional support for rural clinics on breach prevention, resilience, and coordination with federal agencies.

"Cyberattacks on our health care sector not only put patients' sensitive health data at risk but can delay life-saving care," said Cassidy, who is also a medical doctor and ranking member of the Senate Health, Education, Labor, and Pensions (HELP) Committee.

These real-world effects of a cyberattack became all too apparent earlier this year when a ransomware gang locked up Change Healthcare's systems, disrupting thousands of pharmacies and hospitals across the US and accessing sensitive health data belonging to around 100 million people.

It took Change Healthcare nine months to restore its clearinghouse services after the ransomware infection, which cost the UnitedHealth-owned company more than $2 billion in remediation to date.

The Change ransomware attack also led Warner and Senator Ron Wyden (D-Oregon) to introduce a bill that would create mandatory minimum infosec standards for certain health providers and companies. ®