Congress Introduces Legislation to Enhance Cybersecurity in Healthcare Sector

US legislators have introduced a new Healthcare Cybersecurity Bill, aimed at enhancing the federal government’s capacity to prevent and respond to breaches of American medical data.

Introduced by Congressman Jason Crow (D-CO) on June 10, this bipartisan legislation addresses the increasing occurrences of healthcare data breaches across the country.

Recent reports indicated that approximately 190 million Americans had their personal and medical information compromised in 2024 due to a ransomware attack on Change Healthcare, which significantly disrupted patient care.

The proposed Healthcare Cybersecurity Bill mandates collaboration between the Cybersecurity and Infrastructure Security Agency (CISA) and the U.S. Department of Health and Human Services (HHS) to bolster cybersecurity in both healthcare and public health sectors. Key collaborative efforts outlined in the bill include:

– Facilitating the exchange of cyber threat intelligence to enhance the understanding of cybersecurity risks in healthcare.
– Offering training by CISA to healthcare organization owners and operators to mitigate risks.
– Developing a specific risk management plan for the healthcare sector by HHS and CISA, focusing on best practices for securing technologies, services, and utilities before, during, and after data breaches.
– Establishing objective criteria to identify high-risk assets within the healthcare sector, ensuring owners and operators are informed.
– Requiring CISA to report to Congress on its support and activities aimed at preparing the healthcare sector to counter cyber threats.

Congressman Brian Fitzpatrick (R-PA), who co-introduced the bill, expressed that the legislation represents proactive and strategic action. It empowers CISA and HHS to coordinate real-time threat sharing, expands cybersecurity training for providers, and sets up a dedicated liaison to enhance responses, thereby constructing a robust infrastructure to prevent attacks and safeguard vital patient privacy as a component of national security.

Additionally, in January 2025, HHS announced plans to update the Health Insurance Portability and Accountability Act of 1996 (HIPAA) Security Rule, reinforcing the need for healthcare providers to adopt enhanced security measures for protecting individuals’ health information (PHI). This includes mandating a specific level of authentication for accessing IT systems and requiring ongoing testing of security protocols.