Bill Touts CISA, HHS Teamwork to Aid Health Sector SecurityBipartisan Legislation Proposes More Cyber Collaboration, Training, Study
A bipartisan Senate bill proposes closer collaboration between the Department of Health and Human Services and the Cybersecurity and Infrastructure Security Agency, with the goal of strengthening cybersecurity in the health and public health sectors.
The Healthcare Cybersecurity Act of 2022 was introduced by Sens. Jacky Rosen, D-Nev., and Bill Cassidy, R-La. Rosen, the first computer programmer elected to the U.S. Senate, and Cassidy, a physician, are both members of the Senate Health, Education, Labor and Pensions Committee.
“In light of the threat of Russian cyberattacks, we must take proactive steps to enhance the cybersecurity of our healthcare and public health entities,” said Rosen in a joint statement issued with Cassidy.
“Hospitals and health centers are part of our critical infrastructure and increasingly the targets of malicious cyberattacks, which can result in data breaches, the cost of care being driven up, and negative patient health outcomes. This bipartisan bill will help strengthen cybersecurity protections and protect lives," she said.
“Health centers save lives and hold a lot of sensitive, personal information. This makes them a prime target for cyberattacks,” Cassidy said in the statement. “This bill protects patients' data and public health by strengthening our resilience to cyber warfare.”
A spokesman in Cassidy's office tells Information Security Media Group that the bill has been referred to the Senate Committee on Homeland Security and Governmental Affairs for discussion.
The bill proposes requiring CISA and HHS to collaborate, including by entering into an agreement to improve cybersecurity in the healthcare and public health sector.
The collaboration would include CISA coordinating with and making resources available to information sharing and analysis organizations and nonfederal entities that are receiving information shared through programs managed by HHS.
This would also include sharing information pertaining to cyberthreat indicators and appropriate defense measures.
Also, CISA and HHS would collaborate in developing products "specific to the needs of healthcare and public health sector entities."
Cybersecurity Training and Study
The bill also would authorize cybersecurity training to healthcare and public health sector "asset owners and operators" on cybersecurity risks and ways to mitigate risks to sector information systems.
And it proposes requiring CISA, within one year of enactment of the legislation, to conduct a study on specific cybersecurity risks facing the healthcare and public health sector.
"Coordination is always fine. It's not clear to me how much difference any of this would actually make on private sector healthcare cybersecurity activity."
—Kirk Nahra, WilmerHale
The study would include an analysis of how cybersecurity risks specifically affect health care assets, an evaluation of the challenges healthcare assets face in securing updated information systems and an assessment of relevant cybersecurity workforce shortages, the bill says.
The proposed legislation can be a vehicle to raise awareness of the cybersecurity resources available to healthcare and public health entities - including getting the word out about what Health Information Sharing and Analysis Center and other ISAOs do to help secure the health sector, says Errol Weiss, chief security officer at H-ISAC (see: How H-ISAC Is Tracking Russia-Ukraine Cyberthreats).
"The amount of collaboration we see happening today between HHS and CISA is good - yet there's always room for improvement," he says.
"If we can enhance the level of collaboration and increase coordination between the organizations, I see that as a way to communicate important issues once, with an authoritative voice. For many end users in information security today, it's tough to weed through all the different messages coming from multiple sources to find out what's important and actionable."
"We would like to see even more resources, especially funding, identified to help support and staff up key positions at HHS to make them a more effective partner with CISA and the industry when it comes to dealing with strategic and operational critical infrastructure issues that we face in healthcare."
—Errol Weiss, H-ISAC
Other experts say the bill's proposals to promote tighter collaboration between HHS and CISA on healthcare and public health sector cybersecurity are a worthy effort, but whether it will ultimately improve the sector's security posture is uncertain.
"There are so many moving parts on cybersecurity in general and separately in connection with healthcare overall," says privacy attorney Kirk Nahra of the law firm WilmerHale.
"Coordination is always fine. It's not clear to me how much difference any of this would actually make on private sector healthcare cybersecurity activity - private sector entities already have both lots of reasons to pay close attention to cybersecurity activities and compliance obligations."
Nahra says that most healthcare sector entities appear to be "putting a lot of time and energy into" cybersecurity efforts. "More guidance would be useful and not imposing new detailed obligations would also help focus on better practices," he says.
"If the government thinks that better coordination among government entities will be useful, that’s all fine, but the private sector likely will continue to focus on its own protections and for the most part continue to pay close and careful attention to the effective protection of healthcare industry information systems."
H-ISAC's Weiss says the current draft bill is a decent start, but an influx of talent, funding and other resources are needed to help make major improvements in the health and public health sector's overall cybersecurity posture.
"We would like to see even more resources, especially funding, identified to help support and staff up key positions at HHS to make them a more effective partner with CISA and the industry when it comes to dealing with strategic and operational critical infrastructure issues that we face in healthcare," he says.
Encouraging healthcare organizations to join the Health-ISAC and/or other ISAOs as a good best practice is another great way to support the sector, he says.
Also, "having myriad places to report incidents to is not only confusing and inefficient, but a huge burden to healthcare organizations, especially if they are in the midst of responding to an incident," Weiss says. "The more we can streamline the messaging and reporting, the better."