The health care sector is increasingly victimized by targeted cyberattacks. The stakes are uniquely high when a health system finds itself at the center of a cyberattack; the consequences can be severe for both the health system and the patients it treats and serves. The problem is well-known, yet a fix has been elusive. Current laws neither sufficiently protect health systems and patients from these attacks nor adequately compensate those harmed. This analysis explores the deficiencies in both current and proposed legislation and explores what more is required to address the growing risks that accompany cyberattacks on health systems.

Cyberattack Basics.

A cyber incident or cyberattack is “an event occurring through a computer network that actually or imminently jeopardizes the integrity, confidentiality, or availability of computers, information or communications systems [or] physical or virtual infrastructure controlled by computers or information systems…” Cyberattack perpetrators seek health information valuable on the black market; such information “contains details that can be used to access bank accounts or obtain prescriptions for controlled substances.”

Between 2018 and 2022, there was a 107% increase in the number of data breaches reported to the Office for Civil Rights (OCR) that affected 500 or more individuals. The number and size of data breaches steadily rose from 2021 to 2023, with 45.9 million records breached in 2021 and 133 million records breached or otherwise impermissibly obtained in 2023.

It is not surprising that recent years have seen numerous, far-reaching health care cyberattacks. The Kaiser Foundation Health Plan, Inc. suffered a cyberattack in 2024 that resulted in a breach of over 13 million records. In 2023, Welltok, Inc. was the victim of a cyberattack resulting in over 14 million records were impermissibly exposed. The top of the list cyberattack is the attack that targeted Change Healthcare, Inc.; over 100 million records were breached.

Holes within Current Laws and Guidance.

Current laws and guidance have been ineffective in quelling the rise of cyberattacks. The Department of Health and Human Services (HHS) has stressed that “there are measures known to be effective to prevent the introduction of ransomware and to recover from a ransomware attack.”

Under the Health Insurance Portability and Accountability Act’s (HIPAA) Security Rule, covered entities and business associates must implement measures and procedures “that they believe are reasonable and appropriate to respond to malware and other security incidents.” Although HIPAA is a federal law to which covered entities and business associates must follow, the rise in cyberattacks indicates that HIPAA may need strengthening because cyberattacks persist.

The persistence of successful cyberattacks makes clear that guidance, though helpful, is not enough: legislation is necessary if true reform is the ultimate goal. Because “health care and public health sector assets are increasingly the targets of malicious cyberattacks,” the Healthcare Cybersecurity Act (HCA) of 2022 was an effort to mitigate this prevalent problem. The 2022 HCA was meant to introduce reforms that would revitalize the health care sector. It did not pass, but it was reintroduced in 2024 with additions.

Originally known as Senate Bill 3904, the 2022 HCA requires the Cybersecurity and Infrastructure Security Agency (CISA) to coordinate with HHS to improve cybersecurity in the health care sector. The coordination between CISA and HHS would develop products to specifically meet the needs of health care entities, as well as share information that relates to “cyber threat indicators and appropriate defensive measures.” The Secretary of HHS would be required to provide training to health care and public health asset owners and operators, particularly on cybersecurity risks and how to mitigate them.

The 2022 HCA also emphasized that the Secretary of HHS must update the Health Care and Public Health Sector Specific Plan (Plan); the Plan would include an analysis of the impact of cybersecurity risks, an evaluation of the challenges that the health care sector faces, an evaluation regarding best practices, an assessment of relevant cybersecurity workforce shortages, cybersecurity challenges related to the COVID-19 public health emergency, and an evaluation of the most timely ways that CISA and HHS can communicate and establish recommendations to the health care sector.

Proposed Legislation Will Not be Enough to Safeguard Health Systems.

On July 11, 2024, Senators Jacky Rosen (D-NY), Todd Young (R-IN), and Angus King (I-ME) introduced the Healthcare Cybersecurity Act of 2024. When announcing the bipartisan bill, the Senators cited the Change Healthcare cyberattack as motivation behind introduction of the bill, emphasizing that the attack severely interrupted the functionality of hospitals. The 2024 HCA adds a few provisions to supplant the 2022 HCA.

First, the 2024 HCA calls for the appointment of a liaison with cybersecurity qualifications and expertise. The liaison would be charged with numerous responsibilities, including offering technical assistance on best practices relating to cybersecurity, facilitating cyber threat information sharing, and coordinating with CISA and HHS during cybersecurity incidents, among other related tasks. The liaison must “submit a report that describes the activities undertaken to improve cybersecurity coordination” between CISA and HHS. Ultimately, the liaison is meant to help CISA and HHS coordinate with one another to be able to respond to cyberattacks quickly.

Second, the 2024 HCA would require that the Director of CISA establish criteria to determine what constitutes a high-risk covered asset. A covered asset under the HCA of 2024 is a “healthcare and public health sector asset, including technologies, services, and utilities.” In this context, a high-risk covered asset would be a healthcare asset that may be susceptible to high levels of harm due to its sensitive nature. Further, the Secretary of HHS must develop a list of high-risk covered assets for HHS to use when “prioritiz[ing] resource allocation to high-risk covered assets to bolster cyber resilience.” This section is meant to identify high-risk covered assets so that not only is the federal government aware of their status, but also so that the high-risk covered assets may be prioritized in the event of a cyberattack.

Although some vouch that the 2024 HCA is a “critical step forward in safeguarding our nation’s healthcare infrastructure,” others are unconvinced that the HCA will be as impactful as hoped. Many believe that the 2024 HCA is redundant of actions that are already being undertaken. Steve Cagle, CEO of health care cybersecurity firm, Clearwater, stated that former President Biden’s “National Security Memorandum on Critical Infrastructure, Presidential Policy Directive 41, HHS’s 405d program, and cybersecurity training already offered” all achieve the same initiatives that the 2024 HCA attempts to accomplish. Some argue that what is truly needed is “accountability, email protection, vulnerability management, risk analysis, and experienced security staff to guide programs.”

It seems that those who do not have faith in positive effects of the 2024 HCA argue that, from small-scale organizations to large-scale corporations, basic security controls must be in place first. Without basic controls, federal legislation may not positively contribute to avoiding cyberattacks or even mitigating the risks of cyberattacks.

Conclusion: What Will Work? Will Anything Work?

The health care sector continues to fall victim to the steady rise of cyberattacks that not only disrupt operations, but also affect the patients served. Although the 2024 HCA may be a sign of progress, its impact may be limited without implementation of basic security controls across all sizes of health systems. The Change Healthcare cyberattack illustrates that even a large corporation with seemingly robust resources is vulnerable if it relies on inadequate, reactive security measures.

Although the 2024 HCA strives to curate better strategies in response to cyberattacks, a shift towards proactive security measures within health systems is required to effectuate positive change. Instead of reacting to cyberattacks when they occur, health systems should engage in proactive cybersecurity, where they invest to improve their cybersecurity before an attack occurs. Reactive cybersecurity measures make it more likely that a cyberattack will be successful since adequate security measures are not in place prior to the cyberattack. On the other hand, proactive cybersecurity initiatives anticipate future issues so that an entity is prepared when a cyberattack occurs. Specific examples of proactive cybersecurity measures include workforce training, ongoing risk assessments, third-party risk management, and more. Current law focuses too much on reacting to cyberattacks rather than preventing them. If future law shifts toward a proactive approach, it could better equip health systems to prevent cyberattacks, ultimately improving patient safety and trust. Until foundational measures are addressed, and proactive cybersecurity initiatives are implemented, neither laws nor initiatives, existing or proposed, will be adequate to protect the vulnerable atmosphere that engulfs health systems from the sphere of cyberattacks.