November 26, 2024 at 11:10AM
Proposed legislation, the Health Care Cybersecurity and Resiliency Act of 2024, mandates American hospitals to adopt multifactor authentication and minimum cybersecurity standards. It aims to enhance coordination between HHS and CISA, improve breach reporting, and provide federal cybersecurity training, reflecting the urgency of safeguarding sensitive health data after recent cyberattacks.
### Meeting Notes Takeaways
1. **Legislation Proposal**:
– The Health Care Cybersecurity and Resiliency Act of 2024 has been introduced by Senators Bill Cassidy, Mark Warner, John Cornyn, and Maggie Hassan.
– This bipartisan legislation aims to enhance cybersecurity measures in American hospitals and healthcare organizations.
2. **Mandatory Cybersecurity Standards**:
– Proposed requirements include the adoption of multi-factor authentication (MFA) and encryption for protected health information.
– Covered entities must meet additional minimum cybersecurity standards as defined by the Department of Health and Human Services (HHS).
3. **Coordination and Reporting**:
– Enhanced coordination between HHS and the Cybersecurity and Infrastructure Security Agency (CISA) is mandated.
– HHS has one year to implement a cybersecurity incident response plan and update its breach reporting portal to include:
– Number of individuals affected by breaches.
– Corrective actions taken against entities that report breaches.
– Details of recognized security practices considered during breach investigations.
4. **Audits and Assessments**:
– Covered entities and business partners will be required to conduct audits, including penetration testing, to validate their cybersecurity measures.
5. **Federal Support and Training**:
– The bill includes provisions for federal cybersecurity training for healthcare sector personnel.
– Grants aimed at improving security measures will be available to healthcare providers, particularly for rural clinics.
6. **Real-World Background**:
– Highlighted the urgency of the legislation following significant cyberattacks, such as the Change Healthcare ransomware attack, which affected thousands of healthcare facilities and compromised sensitive data for around 100 million individuals.
– This incident emphasized the severe impact of cyberattacks on patient care and healthcare operations.
7. **Financial Impact**:
– The ransomware attack on Change Healthcare resulted in over $2 billion in remediation costs and disrupted services for an extended period.
8. **Related Legislative Efforts**:
– Following the Change Healthcare incident, additional legislative efforts are underway, focusing on establishing mandatory minimum information security standards for certain health providers.
These takeaways summarize the main points discussed during the meeting regarding proposed cybersecurity legislation in the healthcare sector.