Carén Oliver
Associate Editor
Loyola University Chicago School of Law, JD 2024
In an effort to improve cybersecurity in the healthcare sector, a bipartisan bill was introduced in Congress on September 13, 2022, by Republican Brian Fitzpatrick of Pennsylvania and Democrat Jason Crow of Colorado. The Healthcare Cybersecurity Act relies on a partnership between the Cybersecurity and Infrastructure Security Agency (CISA) and the Department of Health and Human Services (HHS) to work together in improving cybersecurity in the healthcare sector. The Act has been introduced as a result of record high increases in health data breaches across the country over the last several years. The goal is to provide resources for training and heighten efforts taken across the nation to mitigate cybersecurity risk. The Act would not only improve patient care but save healthcare cost by taking a proactive approach.
Consequences of cyberattacks
The Act comes as a result of ongoing breaches affecting millions across the country and many threats of Russian cyber-attack threats. The frequency of cyberattacks within healthcare is causing an increase in healthcare costs. Boosting healthcare cybersecurity through a bill that requires a collaborative effort could allow for monumental strides to be made. As technology continues to improve and increase in the healthcare space so will cyber-attacks. While it may be expensive to take proactive measures, data demonstrates that it is even more costly as a consequence of a breach.
IBM found that healthcare data breaches cost an average of $10.1 million per incident in 2021. This is a result of many organizations being understaffed and under-equipped to provide the necessary tools in preventing these types of attacks. However, when personal health information (PHI) is at risk, the stakes are even higher due to potential civil suits, or worse, loss of life. Most recently the second largest nonprofit U.S. hospital chain Common Spirt Health suffered a ransomware cyberattack. The cyberattack caused its operations to come to a halt, impacting multiple locations across the country. This included delayed surgeries, patient care, post op care and rescheduled appointments. Due to records being removed from its online network as a result of the attack, normal functions of a hospital were disrupted including charts, lab results, history, and overall records including allergy information.
Not having access to critical information can lead to staff skipping necessary tests and scans that could prevent loss of life. On the other hand, transferring patients to other local hospitals also causes a delay which can ultimately lead to death, placing liability back onto the hospital. Incidents like these lead to hackers essentially encrypting hospital systems and demanding payment to unlock the system, leaving hospitals with little to no choice but to cave to the demand with lives at risk.
It is the responsibility of the hospitals to take action in mitigating the risk its business associates face in these matters as data has shown that hackers are frequently gaining access through its third-party vendors who are more vulnerable. For example, attackers have become sophisticated in their approach in targeting business associates and its subcontractors as a weaker link to access patient healthcare records. Ideally it would be beneficial if the Act addressed more stringent requirements of business associates who have been granted access to PHI. While this may cause a financial burden on business associates, it can mitigate the cost on a larger scale to prevent a mass healthcare shut down across the country.
Healthcare Cybersecurity Act
The Healthcare Cybersecurity Act would require the CIA and HSS to enter into a partnership agreement with specific roles and responsibilities to mitigate cyber-attacks. The Act authorizes cybersecurity training to Healthcare and Public Health sector asset owners and operators on cybersecurity risks and ways to mitigate them. The Act would Require the CISA to conduct a detailed study on specific cybersecurity risks facing the Healthcare and Public Health Sector. The study would include an analysis of how cybersecurity risks specifically impact health care assets. The Act would also provide for an evaluation of the challenges health care assets face in securing updated information systems, and an assessment of relevant cybersecurity workforce shortages. The required partnership built into the Act would be beneficial as it would allow for more support and manpower to combat the challenges they face as well as lessen the financial burden. However helpful, it is important that the partnership, if it does occur, has more clearly defined roles and specific goals.