The News: A bipartisan healthcare cybersecurity act is underway, recently introduced by U.S. Senators Bill Cassidy, M.D. (R-LA) and Jacky Rosen (D-NV). The bill would require the Cybersecurity and Infrastructure Security Agency (CISA) and the Department of Health and Human Services (HHS) to collaborate on improving cybersecurity measures across hospitals and healthcare networks. Read the Press Release from Senator Cassidy’s office here.
New Bipartisan Healthcare Cybersecurity Act Aims to Improve Protection Efforts
Analyst Take: The new bipartisan healthcare cybersecurity act is something I don’t find it all difficult to get excited about. Think about it for a moment: How would you feel if strangers were able to access the inside of your medicine cabinet or even worse, your medical records? Healthcare data is delicate and highly personal, which is why there are many measures in place to protect its confidentiality. However, now that healthcare information is primarily digitized, it is also increasingly vulnerable to cyberattacks.
Research shows that healthcare-related cyber crimes are rising at an alarming rate. Patient information is some of the most sensitive data that exists, making it a hot target for cyber criminals and a significant risk for healthcare organizations. Think it’s not a problem or that it’s not something you need to be worried about? Not the case. In fact, Politico recently reported that nearly 50 million Americans experienced breaches in their health data in 2021 alone, a threefold increase over three years.
That’s why a bipartisan healthcare cybersecurity act is, to my way of thinking, welcome news. In an effort to reverse this trend, U.S. Senators Cassidy and Rosen introduced the Healthcare Cybersecurity Act on March 23rd. The bill directs the Cybersecurity and Infrastructure Security Agency (CISA) and the Department of Health and Human Services (HHS) to collaborate on improving cybersecurity measures across hospitals and healthcare networks. It also would authorize cybersecurity risk and mitigation training for Healthcare and Public Health sector asset owners and operators, and direct CISA to study the specific risks and challenges currently faced by organizations in the healthcare sector.
Why is Cybersecurity a Concern for Healthcare Agencies?
Healthcare data is covered by specific protections for good reason. The HIPAA Security Rule requires healthcare providers to observe data security practices for the storage and transfer of protected health information (PHI) because, in addition to sensitive information about people’s health, it includes names, addresses, dates of birth, billing information, and other data that is very valuable to cyber criminals. The depth of information contained in health records offers increased potential for fraud and identity theft, which can be much harder to detect and manage than simple credit card data leaks. Steal credit card info, rack up charges — irritating and inconvenient. Steal healthcare PHI and an ill-intentioned criminal now has the keys to someone’s entire identity.
This is a concern for healthcare agencies, not only due to their desire and mandate to protect consumer’s PHI, but because the nature of the cyber crimes they are vulnerable to in pursuit of this information poses other serious risks as well. Between ransomware extortion threats, data breaches, and DDoS attacks (which disrupt network functionality), healthcare agencies are impacted financially, organizationally, and personally. Cyber attacks have an incredibly high cost in lost revenue opportunities, productivity and time-management among personnel, and potentially enduring damage to an institution’s reputation. Still, healthcare agencies are currently fighting an uphill battle to identify and eliminate these threats.
What the Healthcare Cybersecurity Act Requires of Healthcare Agencies
In the face of mounting cybersecurity threats and evidence that Russia in particular continues to target the U.S., the Healthcare Cybersecurity Act aims to improve protection efforts through collaboration, training, and research. Senators Rosen and Cassidy note that “collaboration and information sharing between the public and private sectors is essential to increasing cyber resilience for health-focused entities.” What might this mean for the entities in question?
If the bill is passed, healthcare organizations will likely see the bar raised when it comes to the secure storage and transmission of protected health information. That’s a good thing. To meet this mandate, they will benefit from the increased availability of cybersecurity risk and mitigation training opportunities for personnel. In addition, as CISA studies relevant cybersecurity workforce shortages and proposes solutions, healthcare agencies should see results that include a growing talent pool of qualified cybersecurity professionals — which I is very much needed. Deeper understanding of the challenges healthcare agencies face in securing updated information systems should likewise result in greater availability of smarter, more effective solutions.
While holding cybersecurity efforts to a higher standard, the proposed Healthcare Cybersecurity Act proposed also aims to strengthen the affected entities’ ability to meet or exceed them.
Healthcare Cybersecurity Protections are Critical to Our Future
Both higher cybersecurity standards and better tools for reaching them are critical not only to our personal privacy but to national security. The impacts of cyber crime in healthcare and other sectors are both destabilizing and potentially debilitating. Our healthcare organizations in particular are a vital part of our national infrastructure and must not remain vulnerable to domestic or foreign threats. The costs of cyber crime to both our financial and physical health are simply too high to be sustained.
I applaud Senators Rosen and Cassidy for taking initiative toward improving protection efforts through the Healthcare Cybersecurity Act. Collaboration between the public and private sector is essential to progress in this area, as are bipartisan efforts — I hope to see continued collaboration and momentum in advancing cybersecurity protections wherever they are needed. Let’s keep those medicine cabinets closed and empower our healthcare institutions to protect themselves and their patients.
Disclosure: Futurum Research is a research and advisory firm that engages or has engaged in research, analysis, and advisory services with many technology companies, including those mentioned in this article. The author does not hold any equity positions with any company mentioned in this article.
Analysis and opinions expressed herein are specific to the analyst individually and data and other information that might have been provided for validation, not those of Futurum Research as a whole.
Other insights from Futurum Research:
Nike’s Metaverse Store Paves a Pathway into the Future
ServiceNow Publishes 2022 Global Impact Report Detailing ESG Progress
Image Credit: Healthcare Innovation
The original version of this article was first published on Futurum Research.
Shelly Kramer is a Principal Analyst and Founding Partner at Futurum Research. A serial entrepreneur with a technology centric focus, she has worked alongside some of the world’s largest brands to embrace disruption and spur innovation, understand and address the realities of the connected customer, and help navigate the process of digital transformation. She brings 20 years' experience as a brand strategist to her work at Futurum, and has deep experience helping global companies with marketing challenges, GTM strategies, messaging development, and driving strategy and digital transformation for B2B brands across multiple verticals. Shelly's coverage areas include Collaboration/CX/SaaS, platforms, ESG, and Cybersecurity, as well as topics and trends related to the Future of Work, the transformation of the workplace and how people and technology are driving that transformation. A transplanted New Yorker, she has learned to love life in the Midwest, and has firsthand experience that some of the most innovative minds and most successful companies in the world also happen to live in “flyover country.”