The Health Care Cybersecurity and Resiliency Act of 2024 seeks to bolster cybersecurity across the healthcare and public health sectors. It was introduced by Senators Bill Cassidy M.D., Maggie Hassan, John Cornyn, and Mark Warner as part of a bipartisan effort to address vulnerabilities exposed by recent cyberattacks on healthcare systems, which have affected millions of patients and disrupted care delivery. According to the US Health and Human Services Office (HHS), a record 89 million Americans had their health information breached in 2023 (more than double since 2022), costing a whopping $890 million!

HIPAA Journal 1H 2024 Report: Records Compromised Unauthorized Access. Source: hipaajournal.com

The key implication in our opinion is that it sets a precedent for federal involvement in healthcare cybersecurity, and signals potential future regulations. Here’s what we know so far:

Who Does It Apply To?

The bill (PDF) aims to require the Secretary of Health and Human Services (HHS) and the Director of the Cybersecurity and Infrastructure Security Agency (CISA) to coordinate to improve cybersecurity in the healthcare and public health sectors. Targeting healthcare entities such as hospitals, rural clinics, academic medical centers, and public health facilities, the bill also applies to entities managing healthcare data, including software vendors and contractors (many of whom have been implicated in breaches that expose sensitive patient data).

Key Requirements

The legislation mandates several measures for cybersecurity enhancement:

  • Development of a cybersecurity incident response plan by the Department of Health and Human Services (HHS) within one year.
  • Implementation of cybersecurity best practices like multifactor authentication, encryption, and routine penetration testing.
  • Support for rural healthcare providers with tailored best practices and resources to strengthen cyber defenses.
  • Modernization of existing Health Insurance Portability and Accountability Act (HIPAA) regulations to include updated cybersecurity protocols.
HIPAA Journal 1H 2024 Report - Records Compromised in Hacking. Source: hipaajournal.com

Technologies and Strategies Involved

The bill emphasizes integrating common cybersecurity technologies, including:

  • Threat information-sharing platforms to enhance collaboration between healthcare entities and federal agencies.
  • Cloud-based systems to replace legacy infrastructure, improving scalability and security.
  • Tools to assess and mitigate risks to health data storage and transmission.

Enforcement and Fines

Organizations failing to comply with these mandates may face enforcement actions. While the exact fines for non-compliance have not been detailed, adherence to “recognized security practices” could influence the severity of penalties assessed during audits or investigations.

Funding and Timelines

The legislation allocates federal grants for healthcare providers, medical device manufacturers, and others, to upgrade systems, train personnel, and join cybersecurity information-sharing organizations. Grants are authorized from 2025 to 2030.

Broader Implications

Cyberattacks on healthcare systems are increasing in frequency and severity, risking patient safety and data privacy. As we stated above, this act not only provides resources and guidance but also sets a precedent for federal involvement in healthcare cybersecurity, signaling potential future regulations. By addressing vulnerabilities proactively, the act aims to protect patient data and ensure uninterrupted care delivery.

This bipartisan initiative reflects a growing recognition of the critical need for robust cybersecurity, with the potential to significantly enhance resiliency against evolving threats, in healthcare and other industries.

Empower your Product Security teams with C2A Security

C2A Security EVSec Platform - DevSecOps for product security teams

C2A Security’s EVSec Platform empowers software-defined companies to develop more secure products and shorten time-to-market.

As the only context-driven product security platform for Premarket Approval and Postmarket Surveillance, our leading DevSecOps Product Security platform leverages dynamic risk, BOM, and Vulnerability management, as well as attack path triage, to ensure targeted protection and seamless compliance for the development and operations of medical devices.

Schedule a demo today to learn more.