Sen. Bill Cassidy (R-LA), ranking Member on the Senate Health, Education, Labor, and Pensions Committee, participates in a hearing on prescription drugs costs at the Dirksen Senate Office Building on February 08, 2024. Cassidy led introduction of a bill to improve communication between HHS and health care orgs.

Sen. Bill Cassidy (R-LA), ranking Member on the Senate Health, Education, Labor, and Pensions Committee, participates in a hearing on prescription drugs costs at the Dirksen Senate Office Building on February 08, 2024. Cassidy led introduction of a bill to improve communication between HHS and health care orgs. Kevin Dietsch/Getty Images

Lawmakers want to enhance HHS cyber engagement with health care orgs

The bipartisan proposal, introduced by Sen. Bill Cassidy, R-La., came out of the efforts of a working group focused on protecting medical institutions from digital attacks.

The growing number of cyberattacks targeting the U.S. health care sector in recent years has pushed a bipartisan group of senators to propose legislation that seeks to bolster institutions’ security practices and enhance engagement with federal agencies. 

The measure — introduced on Nov. 22 by Sen. Bill Cassidy, R-La., and co-sponsored by Sens. John Cornyn, R-Texas, Maggie Hassan, D-N.H., and Mark Warner, D-Va. — would direct the Department of Health and Human Services and the Cybersecurity and Infrastructure Security Agency “to coordinate to improve cybersecurity in the health care and public health sectors.” 

HHS, in particular, would be required to update privacy, security and breach notification regulations that apply to health care-related entities. These new cyber practices would include using multifactor authentication, adopting “safeguards to encrypt protected health information,” establishing requirements for conducting audits and “other minimum cybersecurity standards” determined by the department’s secretary.

Within one year of the bill’s enactment, the HHS secretary would be required to develop and implement a cybersecurity incident response plan that includes strategies for assessing cybersecurity risks, detecting and preventing cyber threats, mitigating intrusions and quickly recovering from cyber incidents.

HHS, in cooperation with CISA, would also make additional resources available to health care and public health sector organizations, including “sharing information relating to cyber threat indicators and appropriate defensive measures.”

Health care and public health entities would also have increased access to cybersecurity-related grants, and the department would also be required to issue cybersecurity best practices for rural health entities and clinics.

In a statement, Cassidy said the legislation “ensures health institutions can safeguard Americans’ health data against increasing cyber threats.”

Cassidy — ranking member of the Senate Health, Education, Labor and Pensions Committee — and the three other lawmakers launched a working group in November 2023 to examine potential solutions for enhancing the cybersecurity of health care and public health institutions. In a press release, Cassidy’s office said the legislation evolved out of the group’s work. 

The rollout of the legislation comes as cybercriminals have increasingly attacked U.S. health care institutions. A February ransomware attack that targeted Change Healthcare — a subsidiary of UnitedHealth Group and the nation’s largest health care payment system — disrupted provider payments and prescription services at hospitals and medical centers across the country.

The Government Accountability Office warned in a report earlier this month, however, that HHS has still not implemented several critical cybersecurity recommendations despite growing threats.