Bipartisan bill would put HHS IG in key role following Change Healthcare incident

As the health sector continues to be targeted by hackers, lawmakers have coalesced around a bipartisan bill to boost healthcare cybersecurity through routine evaluations by the Department of Health and Human Services’ inspector general.

Several House lawmakers earlier this month introduced the “Strengthening Cybersecurity in Health Care Act.” A bipartisan companion bill in the Senate was released earlier this year.

The bill would require the HHS IG to routinely probe the cyber defenses of healthcare IT systems, through penetration tests and other measures. The testing would evaluate whether the systems are secure enough to prevent compromises that could either expose patient data or impact patient safety, according to the bill.

The legislation would apply to systems involved in “processing, transmitting, or storing mission critical or sensitive data by, for, or on behalf of” HHS.

While the bill ties the requirements to HHS-related data, the department’s central role in the U.S. health system, including through the Centers for Medicare & Medicaid Services, means such a testing regime could have far-reaching implications.

Rep. Abigail Spanberger (D-Va.), one of the sponsors of the bill, recently suggested it could help raise cybersecurity standards across the health sector.

“This would be in terms of how we are setting standards for American patients’ healthcare data,” Spanberger said in an interview on the Federal Drive with Tom Temin. “And so recognizing the standards related to how that data is maintained, but ensuring that HHS is ultimately part of a larger conversation. Certainly there’s much that needs to be done in private industry.”

Sen. Angus King (I-Maine), one of the cosponsors in the Senate, said in a statement that the bill would “help ensure that health institutions have the resources to keep patient data safe. As the number of threats continues to grow, consistent evaluations will prove to be a lifeline to the medical community treating our family and friends.”

The new bill comes amid the fallout from the Change Healthcare ransomware attack. The February incident forced the company – far and away the top healthcare payments service provider in the United States – to take down its network, roiling U.S. healthcare systems as a result.

More recently, a ransomware attack on a major U.S. health provider earlier this month has forced nurses to work without access to electronic records, CNN reported.

The FBI’s Internet Crime Complaint Center reports that the healthcare sector is the top target for ransomware attacks.

Spanberger said lawmakers want to ensure HHS “is equipped with the most up to date mitigation and response strategies, particularly as we see the health care sector continues to be such a prime target.”

“Ensuring that we are putting the inspector general in a place to evaluate whether current systems could be compromised or could expose patient data or could be strengthened, I think is an important step forward,” she said.

Meanwhile, HHS officials say they want to make the Administration for Strategic Preparedness and Response (ASPR) the department’s “one-stop shop” for healthcare cybersecurity going forward. The Biden administration is requesting a $12 million increase in funding for ASPR in fiscal 2025 to increase its cybersecurity work with the health sector.

“A one-stop shop will enhance coordination within HHS and the federal government, deepen government’s partnership with industry, increase HHS’s incident response capabilities, and promote greater uptake of government services and resources such as technical assistance, vulnerability scanning, and more,” a December HHS white paper states. “ASPR has the response expertise and capabilities appropriate for helping the sector navigate and access the array of cybersecurity supports available from HHS and across the federal government.”

Copyright © 2024 Federal News Network. All rights reserved. This website is not intended for users located within the European Economic Area.