By: Steve Cagle, MBA, HCISPP, CHISL, CDH-E
Clearwater CEO
The Cybersecurity and Resiliency Act (HCCRA) of 2024 is yet another proposed bill aimed at strengthening the healthcare sector’s cybersecurity posture and resilience. It focuses on improving coordination between government organizations, updating cybersecurity standards, increasing breach reporting requirements, and providing grants to rural healthcare organizations that lack both financial and human resources needed to address growing cybersecurity vulnerabilities and increasing threats.
HCCRA also contains important measures that intend to address some of the current challenges that have made it relatively easy for cyber criminals to successfully attack and prey on healthcare providers, payors and their business associates, causing disruption and delay of treatment to patients, poor clinical outcomes – including higher mortality rates – and inflicting severe financial damage, which has even led to bankruptcy of some organizations.
Unlike the Health Infrastructure Security and Accountability Act (HISAA) proposed earlier this year, HCCRA is a bi-partisan bill proposed by U.S. Sens. Bill Cassidy, MD, R-La., Mark Warner, D-Va., John Cornyn, R-Texas, and Maggie Hassan, D-N.H. each of whom are members of a healthcare cybersecurity working group created last year. This bill incorporates provisions shaped by the group’s efforts and insights. Unlike HISAA, HCCRA does not impose tiered monetary fines, require annual independent audits, or mandate CEO and CISO attestations of cybersecurity compliance. It also does not prescribe criminal penalties for reporting false information or require Covered Entities and Business Associates to pay oversight fees to fund enforcement.
Read below for a detailed overview of the proposed HCCRA and its key provisions.
Coordination Between HHS and CISA
Summary: The proposed bill directs the Secretary of Health and Human Services (HHS) to coordinate with the Director of the Cybersecurity and Infrastructure Security Agency (CISA) to improve cybersecurity in the Healthcare and Public Health Sector potentially through a cooperative agreement. The coordination would improve dissemination of cyber threat alerts and appropriate defensive measures through Information Sharing and Analysis Organizations (ISAOs), which would likely be the Health Information Sharing and Analysis Center (H-ISAC). It would also require HHS to create tailored products to address the unique needs of the Healthcare and Public Health Sector.
Commentary: Improving both quality, comprehensiveness, and timeliness of threat and mitigation information is much needed, and this is a good step in the right direction. However, it is important to note that many small and mid-sized healthcare organizations don’t have the resources, skill sets, or means to interpret and act on the information. H-ISAC and other information sharing organizations don’t include cybersecurity firms and other IT firms in dissemination of all of the most current information. As most healthcare organizations rely on their cybersecurity partners to protect and respond to attacks, it is essential that we broaden the audience and more freely share threat intelligence with all parts of the healthcare sector, especially those third-party security firms, which play a crucial role in defending the sector.
Oversight of Cybersecurity Activities
Summary: The HCCRA designates the Administration for Strategic Preparedness and Response (ASPR) at HHS as the Sector Risk Management Agency for the Healthcare and Public Health Sector. ASPR will oversee and coordinate activities within the Department of Health and Human Services to enhance cybersecurity resiliency, including facilitating coordination and communication with public and private entities related to preparedness for and responses to cybersecurity incidents.
Commentary: This provision references Presidential Policy Directive 21 of 2013, however PPD-21 was already superseded by National Security Memorandum-22 which already establishes responsibility for Sector Risk Management Agencies (in this case HHS) to “lead sector risk management within their sector and support cross-sector risk management, including establishing and implementing programs or initiatives”, and to “share and receive information and intelligence directly with critical infrastructure owners and operators in their respective sectors.” Additionally, in its Cybersecurity Strategy published in 2023, HHS designated ASPR to lead internal cybersecurity risk management efforts. HHS again further actioned this move in its July 2024 re-organization.
HCCRA should help to further codify these responsibilities into law, providing legal clarity that reinforces efforts already underway that may have been, or have the potential to become troubled with bureaucratic or political obstacles. By establishing clear responsibility and accountability this provision seeks to address these potential challenges and should help to further drive action within HHS and CISA.
Cybersecurity Incident Response Plan
Summary: Under the bill, the HHS Secretary would be required to develop and implement a cybersecurity incident response plan within one year to guide HHS personnel in handling cybersecurity incidents affecting information systems, including hardware, software, databases, and networks, maintained by or on behalf of the Department. The plan must assess potential cybersecurity risks through risk assessments, implement measures to preemptively avoid cybersecurity incidents, create processes to detect cybersecurity breaches or attacks, and include protections to safeguard sensitive information and limit harm and loss of data, and to recover from incidents “expeditiously”.
In order to develop this plan the HHS Secretary must collaborate with key agencies and experts including the CISA Director as well as the Office of Management and Budget (OMB) Director and National Institute of Standards and Technology (NIST) Director. HHS is required to submit a comprehensive report on the plan to various Senate and House committees at least 60 days before implementation.
Commentary: This is a particularly important aspect of the bill as it essentially requires HHS to implement stronger cybersecurity standards and practices, continuously assess its own cybersecurity risk and ensure it is resilient with respect to the current threat environment. These are cybersecurity practices that HHS should be doing already, however the law would add accountability and oversight. The NIST Cybersecurity Framework (CSF) is mandatory for U.S. government agencies to follow, as stipulated by Executive Orders and federal policies, including the Presidential Executive Order on Strengthening the Cybersecurity of Federal Networks and Critical Infrastructure on May 2017.
Despite the requirement to conform with the NIST CSF, the Office of the Inspector General (OIG) reported in its annual audit of HHS –conducted under the Federal Information Security Modernization Act of 2014— that HHS’ cybersecurity program and practices were deemed “not effective” in achieving maturity for all five function areas under the NIST 1.1 framework: Identify, Protect, Detect, Respond and Recover. Additionally, a separate OIG audit identified cybersecurity deficiencies in HHS’s cloud environments.
Given HHS’s critical role in national health and its handling of sensitive data, including ePHI, it is critical for the agency to meet cybersecurity requirements and ensure resilience against cyberattacks. Legislation requiring adherence to these standards might be helpful in forcing the agency to address these serious deficiencies.
Breach Portal Reporting
Summary: This provision would require the Secretary of HHS to promulgate updated regulations that require the public display of information on corrective actions and recognized security practices applied by covered entities that have experienced a cybersecurity incident or breach.
The HITECH Act requires the Secretary of the Department of Health and Human Services to post on a web site known as the Office for Civil Rights (OCR) portal a list of reported breaches of unsecured protected health information affecting 500 or more individuals. HCCRA would require that portal include additional information including information on any corrective action taken against a covered entity that reported a breach, whether and to what extent recognized security practices (as defined in Section 13412(b)(1) of HITECH) were considered during the breach investigation and any other information about the breach that the Secretary deems necessary.
This provision would require the reporting covered entity to not only publish the actions taken to correct any security deficiencies discovered as a result of a breach but also its implementation of recognized cybersecurity practices as defined in the HITECH amendment that was introduced in Public Law 321-116. These practices include the NIST Cybersecurity Framework and the 405(d) Health Industry Cybersecurity Practices (HICP) Publication, or other future practices that are developed through regulation (which could potentially include some form of the HHS voluntary Cybersecurity Performance Goals).).
Commentary: Requiring this level of reporting may seem to promote greater accountability, and certainly it could be helpful from a “lessons learned” perspective. However, this provision has drawbacks and creates some concerns. First and foremost, publicly disclosing an organization’s implementation of security practices—along with details about unresolved vulnerabilities—could unintentionally provide bad actors with valuable information for targeting. Secondly, as the requirement applies to only covered entities, this provision would likely not include the business associates who were subject to third party breaches, unless the Rules are updated to address this. Lastly, this provision appears to be punitive. While it is important for such information to be reported to HHS, it might be best kept from the public eye.
Clarifying Breach Reporting Obligations
Summary: This section adds a new requirement to the existing breach reporting obligations to include the number of individuals affected by the breach in their reports to their notice of a breach to individuals.
Commentary: While this is interesting information, its questionable as to how useful it is for individuals to know how many others were affected by the breach. The data is already reported to OCR within 60 days and published on the breach portal if the breach involves more than 500 records. The provision may complicate or delay reporting to individuals if the number of individuals affected is not yet known. A better approach may be to direct the individual to the breach portal for more information, including the number of individuals affected by the breach.
Enhancing Recognition of Security Practices
Summary: This section would require the Secretary of HHS to issue specific guidance on specific processes for submitting, evaluating and reporting on healthcare organizations’ implementation of recognized security practices as defined in Section 13412 of the HITECH Act. Additionally, it must define the extent to which the practices need to be in place for consideration. HHS would need to issue a report withing 2 years that details how this provision was implemented and include and account of every case in which these practices were considered by HHS when effectuating audits or assessing potential fines.
Commentary: This provision should be welcomed by the industry as it reaffirms the NIST Cybersecurity Framework and 405(d) HICP as recognized security practices widely adopted by many organizations. It also provides a pathway for entities to “get credit” for their cybersecurity investments. By requiring HHS to clarify how these practices are evaluated and leveraged for benefits under the HITECH Act, the provision introduces much-needed transparency and accountability.
Historically, the process for considering recognized security practices has been opaque and has led to the potential of inconsistent application of the HITECH provision among different organizations. By clarifying how these practices are assessed and utilized, the provision incentivizes organizations to accelerate investments in these practices. Healthcare organizations will have greater confidence that demonstrating implementation of these practices will help them avoid lengthy audits and fines.
Required Cybersecurity Standards
Summary: The Secretary of Health and Human Services (HHS) would be required to update the privacy, security, and breach notification regulations found in 45 CFR parts 160 and 164 (or their successors) to require the adoption of specific cybersecurity practices by covered entities and business associates. These practices would have to include multifactor authentication, encryption, “audits” (including penetration testing), and other standards as determined by HHS. HHS would also need to define reasonable deadlines for compliance.
Commentary: Requirements of new cybersecurity standards should come as no surprise to the industry. HHS has already communicated that it intends to propose updates to the HIPAA Security Rule and HCCRA would provide specific directive codified in law to do so. This may be particularly helpful considering potential challenges that may be brought following the June 28, 2024, Loper Supreme Court decision that overruled the long-standing Chevron doctrine, setting a new standard requiring that courts exercise independent judgment on whether agencies act within their statutory authority. By requiring specific standards in law, and providing HHS broad authority to create other standards, it would be more difficult for industry associations or specific organizations to challenge the new cybersecurity standards in court.
Guidance on Rural Cybersecurity Readiness
Summary: This provision requires the HHS to issue guidance to rural entities on 20 best practices to improve cyber readiness, including strategies to improve infrastructure through technical safeguards, integrate best practices, improve employee preparation to mitigate cybersecurity risks including through education initiatives, and to implement policies to facilitate mandatory cybersecurity incident reporting required by law. Additionally, it requires the Comptroller General of the United States to study the effectiveness of the implementation of this program and provide a report to various committees of Congress. The report must include how well rural entities have implemented technical safeguards, and challenges in such implementations, and steps to further support rural health entities through coordination with Federal agencies or public-private partnerships.
Commentary: This section appears to have been included based the realization that having recognized cybersecurity practices and regulatory requirements is not enough for rural healthcare providers who often lack the resources and expertise to implement them effectively. The bill aims to bridge this gap by providing specific “how to” guides, education and training to help these providers implement security controls. While such support can be helpful, it does not solve the problem on its own. Knowing what to do, and potentially as a result of this effort “how do to do it”, does not change the fact that most rural health providers do not have the people to implement and execute these security practices. There appears to be an attempt to address this dilemma in the next section.
Grants to Enhance Cybersecurity in the Health and Public Health Sector
Summary: This section of the bill allows the Secretary of HHS to award grants to eligible entities for the adoption and use of cybersecurity best practices. Eligible entities include hospitals, cancer centers, rural health clinics, health facilities operated by the Indian Health Service, academic health centers, or a nonprofit entity that enters into a partnership with an eligible entity. Grants can be authorized for up to three years, and used for hiring and training, personnel training in cybersecurity best practices, electronic data system updates, migrating systems to cloud-based platforms or other modern technologies, information sharing participation, joining and engaging in health cybersecurity threat information-sharing organizations, reducing legacy systems, phasing out outdated systems to improve security, third-party contracting, and engaging external vendors or consultants to assist in implementing any of the above activities.
Commentary: Providing funding for rural healthcare providers is one of the highest needs and priorities in addressing cybersecurity shortfalls in the Healthcare and Public Health sector. Regardless of how much regulation or guidance we provide, it won’t change the fact that the money must come from somewhere to pay for tools and cybersecurity expert resources. Rural providers are struggling financially and cannot afford to keep up with the increasing need for cybersecurity demands. On a positive note, the bill authorizes HHS to award grants for a wide range of needs, giving recipients flexibility to apply the funds to address their specific risks rather than constraining them to predefined categories that might not align with their most pressing vulnerabilities. And while the bill addresses numerous types of healthcare providers, it appears to leave out post-acute care entities.
The bill authorizes grants to be provided form 2025-2030, but unlike HISAA, it does not specify where this money is coming from. The 2025 HHS Budget states “the budget also establishes a $1.3 billion Medicare incentive program to encourage hospitals to adopt essential and enhanced cybersecurity practices”, however, this proposed funding is limited to hospitals, and appears to be a separate initiative from the grant proposal. Additionally, a review of the Administration for Strategic Preparedness and Response (ASPR) Budget Request and its Justification of Estimates for Appropriations Committee, does not reveal a specific mention or line item for these grants, though there is $317.055 million proposed for the Health Care Readiness and Recovery (HCRR), an increase of +$12 million over 2024.
Healthcare Cybersecurity Workforce
Summary: This section of the bill requires the Secretary of HHS, in coordination with the CISA Cybersecurity State Coordinators and private sector health care experts, to provide training to health and public health sector asset owners and operators. The Administrator of the Health Resources and Services Administration is to coordinate with CISA to develop a strategic plan to educate these individuals on cybersecurity risks within the healthcare and public health sector, and ways to mitigate these risks. The plan must include recommendations to leverage existing cybersecurity educational programs, methods of developing and disseminating materials, development of best practices for training the healthcare workforce on best practices, and identification of opportunities for public-private partnerships to strengthen the cybersecurity workforce.
Commentary: While the additional cybersecurity training about risks and best practices for healthcare professionals can be helpful, there are many programs already in place that provide these types of activities and offer resources freely to the industry. Many healthcare organizations are already aware of the risks. What we really need is more trained and certified professionals who have the knowledge and expertise to develop, execute and mature cybersecurity programs. There is a massive shortage of cybersecurity professionals overall, and more so in healthcare, where resources are more scare and often pay scales are lower than in other industries. What would be more helpful for the sector is funding for education and certification of cybersecurity professionals, which increase the cybersecurity workforce serving healthcare.
Conclusion
The Cybersecurity and Resiliency Act (HCCRA) of 2024 takes admirable steps to improve cybersecurity standards, education, and breach reporting in the healthcare sector. Although it does not fully address critical issues such as resource limitations and funding gaps that undermine cybersecurity resilience, it offers practical steps that could lead to incremental improvements in risk assessment and the development of stronger security programs. While the bill is helpful, more work must be done to provide funding to the industry, increase accountability of meeting cybersecurity standards and improving the overall resilience of the sector resilience.
