A bipartisan Senate bill aimed at protecting Americans' medical data in the aftermath of the Change Healthcare ransomware attack has been introduced with a similar bill in the House of Representatives.
The healthcare cybersecurity bill, introduced Wednesday by Reps. Jason Crow, D-Colorado, Brian Fitzpatrick, R-Pennsylvania, and Andy Kim, D-Jersey, would require the Cybersecurity and Infrastructure Security Agency and the Department of Health and Human Services to collaborate on a range of measures to bolster cyber defenses and provide resources to non-federal organizations in the healthcare sector.
“Cyber attackers are targeting Americans' health data, and we must stop them,” Crow said in a statement. “I am leading efforts to strengthen our cyber defenses and protect Americans' most personal and sensitive information from bad actors.”
The House bill, which mirrors a Senate bill by Sens. Jacky Rosen (D-NV), Todd Young (R-IN) and Angus King (I-MA), would create a liaison between CISA and HHS to lead coordination in the event of a cyber incident affecting the health system and provide additional support as needed.
In a statement, Fitzpatrick called hospitals and medical centers “foundational pillars” of the nation's infrastructure and said, “With an alarming increase in malicious cyberattacks that create significant data breaches, rising health care costs, and put patient health at risk, we cannot afford to delay addressing this issue. By providing new resources for cybersecurity risk training and strengthening cybersecurity protections across the country, this bipartisan bill takes decisive steps to safeguard our health care system and save lives.”
The bill also includes measures to improve information sharing on cyber threat indicators and create training tools for health system administrators. Kim said in a statement that the bill aims to ensure “frontline health care workers have the tools and up-to-date resources they need to protect patients and their information from any future breaches.”
The attack on Change Healthcare, a payment processor owned by UnitedHealth Group, sparked outrage in Congress over the company's poor cyber hygiene. Senator Mark Warner (D-VA) introduced a bill that would require health care providers to adhere to minimum cybersecurity standards. UnitedHealth ultimately paid a $22 million ransom to the ALPHV hacking group.
While the new bill awaits consideration in the House Homeland Security and Energy and Commerce committees, a companion bill passed the Senate Homeland Security and Governmental Affairs Committee last month and is headed for a vote on the full Senate.
Written by Matt Bracken Matt Bracken is editor-in-chief of FedScoop and CyberScoop, where he oversees coverage of federal technology policy and cybersecurity. Prior to joining Scoop News Group in 2023, he was senior editor at Morning Consult, leading data-driven coverage of technology, finance, health and energy. Previously, he held various editorial roles at The Baltimore Sun and Arizona Daily Star. He can be reached at [email protected].
