Bipartisan Senate Bill Requires HHS to Bolster Cyber EffortsLegislation Aims to Evaluate and Improve Agency's Cybersecurity Posture
As a record number of cyberattacks target the healthcare sector, U.S. lawmakers want to make sure the federal government's house is in order in case a major breach occurs.
The security practices of the U.S. Department of Health and Human Services, which manages data related to 65 million Medicare patients, are the focus a new bipartisan Senate bill that would require HHS to biennially conduct cybersecurity reviews and tests on its IT systems and report to Congress on how it is updating its cybersecurity strategy to keep up with evolving cyberthreats.
The Strengthening Cybersecurity in Health Care Act - introduced Friday by Sens. Angus King, I-Maine, and Marco Rubio, R-Fla. - is the latest congressional effort in recent months aimed at bolstering cybersecurity in the healthcare sector.
The Rubio/King bill would require HHS "to perform consistent evaluations of its cybersecurity systems and provide biannual reports on its current practices and progress on future safety procedures they are working to implement," the senators said in a joint statement last week.
"As the number of threats continues to grow, consistent evaluations will prove to be a lifeline to the medical community treating our family and friends," King said in a statement.
"Since the pandemic, we have seen a rise in the number of cyberattacks against our healthcare systems. This legislation aims to reassure the American people by better safeguarding their sensitive information, ensuring peace of mind during these ever-changing times," Rubio said.
In 2023, healthcare and related organizations reported a record number of major cyberattacks - 734 breaches that affected a record 135.3 million people - to HHS. That's equal to more than 40% of the U.S. population having their protected health information compromised in a single year (see: How 2023 Broke Long-Running Records for Health Data Breaches).
Details of the Bill
Specifically, the bill proposes that the HHS Office of Inspector General evaluate the cybersecurity practices and protocols of HHS every two years.
The evaluation would be conducted through penetration and other tests "to determine how systems processing, transmitting or storing mission critical or sensitive data by, for, or on behalf of HHS" could expose patient data - such as Medical beneficiary information - or affect patient safety.
The bill would also require HHS to submit to Congress every two years a report that describes how HHS will update its cybersecurity practices and protocols to adapt to the latest cyberattack strategies.
Also, the OIG would be required to submit to Congress a report every two years that describes how that watchdog agency is using federal funds to conduct the testing of HHS' cybersecurity systems and any additional funding or legislative action required for it to maintain its evaluation of the department.
The language in the proposed legislation strengthens the current requirements for HHS under the Federal Information Security Modernization Act by mandating penetration and other security testing of its IT systems.
A senate aide told Information Security Media Group the bill would "complement" the current FISMA requirement.
"Hackers will oftentimes only infiltrate systems for the money, but hackers can also infiltrate systems to steal Medicare numbers to commit long-term fraud or collect information to put a patient at risk of harm. The bill calls attention to how the OIG is protecting from hackers that specifically aim to infiltrate their systems with the goal of exposing patient data and impacting safety," the aide said. "Additionally, it requires more transparency from the agency to Congress."
The office in a statement to ISMG said that while the current FISMA requires that the inspector general or an independent external auditor perform annual evaluations of HHS' agencywide information security program, FISMA does not specify the types of testing - including penetration testing - that HHS or the OIG must perform.
"The current bill would explicitly require the HHS-OIG to employ penetrating testing or other testing procedure to evaluate cybersecurity practices to determine how systems can be compromised," the office told ISMG.
Neither King - who is co-chair of the bipartisan Cyberspace Solarium Commission, nor Rubio - who is vice chairman of the Senate Select Committee on Intelligence - immediately responded to ISMG's requests for additional comment on their proposed healthcare sector cybersecurity legislation and on several other similar efforts underway in the federal government.
The King-Rubio bill follows other recent congressional activity aimed at bolstering cybersecurity in the healthcare sector.
That includes the launch last November of a bipartisan Senate working group focused on rallying congressional support for potential legislation focused on improving the state of cybersecurity in the healthcare sector (see: New Bipartisan Senate Group Tackling Healthcare Cyber Bill).
The effort is being spearheaded by Sen. Bill Cassidy, R-La., ranking member of the Senate Committee on Health, Education, Labor and Pensions, and Sens. Mark Warner, D-Va.; John Cornyn, R-Texas; and Maggie Hassan, D-NH.
In a statement provided to ISMG, Warner said he is encouraged by the attention being given to healthcare cybersecurity.
"For years, I've been leading the charge in this space, and I'm glad to see that cybersecurity, particularly in healthcare, is finally becoming a Senate-wide priority," he said.
"I'm pleased that HHS is also prioritizing cybersecurity, including looking into requiring basic best practices. This year I'll be introducing legislation to do just that, because I believe basic protective cyber hygiene practices - just like basic infection control practices - is part of keeping patients safe," Warner added.
Last June, the Senate Homeland Security and Governmental Affairs Committee approved the bipartisan Rural Hospital Cybersecurity Enhancement Act, which proposes to help rural hospitals better address cybersecurity personnel shortages.
That bill, sponsored by Missouri Republican Sen. Josh Hawley and co-sponsored by the committee chair, Sen. Gary Peters, a Michigan Democrat, so far has not moved beyond the committee (see Bill for Rural Hospital Cyber Skills Passes Senate Committee).
The Biden administration in December unveiled a concept paper that outlines a strategy for helping to improve cybersecurity in the healthcare sector (see: Biden Administration Issues Cyber Strategy for Health Sector).
Last month, HHS began fleshing out those plans by issuing guidance that describes sets of voluntary "essential" and "enhanced" cybersecurity performance goals for healthcare sector entities to implement (see: HHS Details New Cyber Performance Goals for Health Sector).
HHS said the goals will be used to "inform" upcoming rule-making to create potential sticks and carrots for healthcare organizations - such as participants in Medicare and Medicaid programs and under-resourced provider groups - that the department would like to have implement the recommended practices.