What providers should know about the new cybersecurity Senate Bill

The U.S. Senate has introduced the Health Care Cybersecurity and Resiliency Act of 2024, a bipartisan effort aimed at enhancing cybersecurity in the healthcare sector. It calls for updates to HIPAA regulations and improving coordination between federal agencies. 

What happened

U.S. Senators Bill Cassidy (R-La.), Mark Warner (D-Va.), John Cornyn (R-Texas), and Maggie Hassan (D-N.H.) introduced the Health Care Cybersecurity and Resiliency Act of 2024 to address the growing threat of cyberattacks in the healthcare sector. The bill proposes comprehensive measures to modernize healthcare cybersecurity, including updates to HIPAA and increased collaboration between the Department of Health and Human Services (HHS) and the Cybersecurity and Infrastructure Security Agency (CISA).

The legislation is a result of the bipartisan Senate healthcare cybersecurity working group formed in November 2023, which identified legislative solutions for cybersecurity challenges in healthcare.

See also: HIPAA Compliant Email: The Definitive Guide

What healthcare providers should expect

"We know that cyberattacks on healthcare institutions can have devastating consequences, not just for organizations but for patients whose data is at risk. This bill provides the necessary tools to ensure healthcare systems are resilient against these growing threats," says Senator John Cornyn. 

The proposed legislation is designed to address both immediate and long-term cybersecurity challenges. Here’s what healthcare providers should be looking out for:

• Updated HIPAA regulations: If passed, the Health Care Cybersecurity and Resiliency Act would require the HHS to update the Health Insurance Portability and Accountability Act (HIPAA) to include modern cybersecurity practices. Healthcare providers must comply with these updated standards to protect patient data.
• Increased coordination between HHS and CISA: The bill mandates better collaboration between HHS and CISA, ensuring healthcare institutions receive up-to-date cyber threat intelligence and timely support during cyberattacks. Providers should expect enhanced communication and resources from federal agencies to help them prepare for and respond to cybersecurity incidents.
• Cybersecurity incident response plan: Healthcare organizations will be required to implement and adhere to an incident response plan developed by HHS. This includes following guidance for recognized security practices under the Consolidated Appropriations Act of 2021, which will help providers respond effectively to cyber incidents.
• Grants and guidance for rural healthcare providers: Rural healthcare providers, who often face unique cybersecurity challenges, will be a focus of the bill. HHS will be tasked with issuing guidance on breach prevention and offering grants to help rural entities adopt best cybersecurity practices.
• Workforce training: The bill allows HHS and CISA to collaborate on cybersecurity training for healthcare workers, ensuring that staff are equipped with the necessary skills to handle evolving cyber threats.

FAQs

When will the bill take effect?

If passed, the bill will be enacted into law, and healthcare organizations will be given a timeframe to comply with the updated HIPAA regulations and other requirements. The exact timeline will be determined by HHS and CISA.

What steps should healthcare organizations take now to prepare for the bill’s potential passage?

Healthcare organizations should conduct cybersecurity assessments to identify gaps in their defenses, begin preparing for updates to HIPAA, and review their incident response plans. They should also look into potential grant opportunities for rural providers and consider investing in workforce training to improve cybersecurity readiness.