On March 23, 2022, legislators introduced a new bill, the Healthcare Cybersecurity Act of 2022, which would direct the Cybersecurity and Infrastructure Security Agency (CISA) and the Department of Health and Human Services (HHS) to collaborate on how to improve cybersecurity measures across hospitals and healthcare networks operating in the healthcare and public health sector. This new bill comes following a warning from the Biden administration that there is an increased risk of cyber threats to American companies from Russia due to the ongoing conflict in Ukraine.
There are three main components to the bill:
- require the CISA and HHS to collaborate on improving cybersecurity in the healthcare sector;
- authorize cybersecurity training for healthcare organizations and ways to mitigate risks to sector information systems; and
- require the CISA to conduct a detailed study on specific cybersecurity risks facing the healthcare industry
Healthcare facilities hold a significant amount of personally identifiable information, making them a target for these attacks. This bill is viewed as a positive development in the critical improvements needed to enhance the healthcare sector’s strength against cyber attacks. Data reported to HHS shows that almost every month in 2020, more than 1,000,000 people were affected by data breaches at healthcare organizations. Cyberattacks involving healthcare facilities rose 55% in 2020, and these attacks also resulted in a 16% increase in the average cost of recovering a patient record in 2020 compared to 2019. According to data from the HHS Office for Civil Rights, health information breaches have increased considerably since 2016. In 2020 alone, the HHS-OCR reported 663 breaches on covered entities, as defined under HIPAA, affecting more than 500 people, with over 33,000,000 total people affected by health information breaches.