Cybersecurity measures advance in Washington

Our cybersecurity series continues with a look at what's happening in Congress. A Senate bill would authorize more cybersecurity training for hospitals. And a new law requires hospitals to report attacks and ransom payments more quickly.

Cybersecurity experts have been calling on Washington to help hospitals prepare for attacks, and lawmakers are starting to pay attention.

A U.S. Senate panel approved bipartisan legislation that would offer more cybersecurity training for hospitals and improve the sharing of information about threats aimed at the healthcare sector.

U.S. Sens. Jacky Rosen, D-Nevada, and Bill Cassidy, R-Louisiana, sponsored the bill. The legislation directs the U.S. Cybersecurity and Infrastructure Security Agency to work with the U.S. Department of Health and Human Services to help healthcare organizations improve their defenses.

“Hospitals and healthcare centers are part of our critical infrastructure and increasingly are the targets of malicious cyberattacks, which can result in data breaches and the cost of care gets driven up and can have negative patient health outcomes,” Rosen said last week.

More healthcare organizations have been reporting cyberattacks in recent years, and analysts say 2022 could be even worse. Federal authorities have warned healthcare organizations they need to bolster their defenses, particularly in light of Russia’s invasion of Ukraine.

Dozens of breaches in the health sector have already been reported in 2022, affecting millions of people.

The Senate Homeland Security and Governmental Affairs Committee approved the bill last week.

“In light of these threats, we must take proactive steps to enhance the cybersecurity of our healthcare and our public health entities,” Rosen said before the committee vote.

The measure calls for an analysis of cybersecurity threats aimed at the healthcare sector, with a focus on rural hospitals. The American Hospital Association, which has endorsed the bill, also said the legislation would assess the vulnerabilities of medical devices and a shortage of cybersecurity workers.

“This bill takes first steps towards addressing many of the cybersecurity challenges facing hospitals and health systems,” Stacey Hughes, AHA vice president, wrote in a letter to the sponsors of the bill.

Hospitals also now must report cyberattacks and ransom payments to authorities much more quickly, under federal legislation signed by President Joe Biden last month.

The 2022 federal budget package approved last month contained important provisions related to cybersecurity. Hospitals, healthcare systems and others in critical infrastructure sectors must report any cyberattacks or incidents within 72 hours to CISA and the U.S. Department of Homeland Security. Hospitals and health systems must tell the agencies if they have made any ransomware payments within 24 hours.

Previously, healthcare organizations had to notify the health department of any breaches affecting more than 500 people within 60 calendar days, but were encouraged to move without reasonable delay.

Now, hospitals must alert authorities within days of an attack and within hours of a payment.

U.S. Sen. Gary Peters, D-Michigan, sponsored the legislation which was ultimately merged into the omnibus spending package.

“This historic, new law will make major updates to our cybersecurity policy to ensure that, for the first time ever, every single critical infrastructure owner and operator in American is reporting cyber-attacks and ransomware payments to the federal government,” Peters said in a statement.

Under the new law, CISA now has the authority to subpoena organizations that don’t report cyberattacks or ransomware payments. Companies that don’t comply with a subpoena can be referred to the U.S. Department of Justice, Peters’ office said.

CISA is also directed to form a joint ransomware task force to coordinate federal efforts.

Lawmakers are also taking a look at cyber defenses in the U.S. Department of Veterans Affairs, which is responsible for the healthcare of millions of veterans.

Rosen and U.S. Sen. Marsha Blackburn, R-Tennessee, have sponsored a bill that calls for an independent evaluation of the VA’s information systems. The VA would also be directed to submit a plan to address any deficiencies found in the assessment.

More from our series on cybersecurity

How a rural health system improved its cybersecurity

Why smaller hospitals are targets for cyberattacks