Source URL: https://www.theregister.com/2024/11/26/us_senators_healthcare_cybersecurity/
Source: The Register
Title: US senators propose law to require bare minimum security standards
Feedly Summary: In case anyone forgot about Change Healthcare
American hospitals and healthcare organizations would be required to adopt multi-factor authentication (MFA) and other minimum cybersecurity standards under new legislation proposed by a bipartisan group of US senators. …
AI Summary and Description: Yes
Summary: The proposed Health Care Cybersecurity and Resiliency Act of 2024 would mandate multi-factor authentication and other cybersecurity standards for American healthcare organizations. This legislation aims to enhance coordination between federal agencies and strengthen the cybersecurity posture of the healthcare sector, highlighting the increasing need for robust cybersecurity measures in light of recent cyberattacks.
Detailed Description:
The Health Care Cybersecurity and Resiliency Act of 2024, introduced by a bipartisan group of US senators, seeks to address the pressing cybersecurity challenges faced by the American healthcare sector. The legislation outlines several key requirements and initiatives aimed at improving the resilience and security of healthcare organizations, making it particularly relevant for professionals involved in information security and healthcare compliance.
Key points of the legislation include:
– **Mandatory Multi-Factor Authentication (MFA)**: The act would require healthcare organizations to implement MFA, a widely recognized cybersecurity measure that adds an additional layer of protection against unauthorized access.
– **Coordination Between Agencies**: Enhanced collaboration between the Department of Health and Human Services (HHS) and the Cybersecurity and Infrastructure Security Agency (CISA) is emphasized, ensuring a more unified approach to cybersecurity in the healthcare and public health sectors.
– **Cybersecurity Incident Response Plan**: HHS would be mandated to develop a cybersecurity incident response plan within a year, which would allow for quicker and more effective responses to breaches.
– **Breach Reporting Enhancements**: The act would revise the existing breach notification requirements under HIPAA, necessitating covered entities to report the number of individuals affected by data breaches, in addition to current obligations.
– **Details on Corrective Actions**: The breach reporting portal would need to include information on corrective actions undertaken by breaching entities and the security practices considered during investigations.
– **Adoption of Other Cybersecurity Standards**: While MFA and encryption are specifically mentioned, the act allows the secretary of HHS to define additional cybersecurity standards that must be adopted by covered entities and their business partners.
– **Audits and Penetration Testing**: Organizations will be required to conduct audits and penetration testing to evaluate their security measures and compliance with the new standards.
– **Federal Training and Support**: The legislation also emphasizes the necessity for federal training programs focused on cybersecurity best practices for health-sector entities, along with grants and support aimed at enhancing security, particularly for rural clinics.
– **Response to Real-World Incidents**: The push for this bill is partly triggered by significant cyberattacks like the ransomware incident at Change Healthcare, which had widespread effects on healthcare service delivery and data security.
The implications of this legislation are significant for health sector organizations. They indicate a growing recognition of the need for stringent cybersecurity measures within the healthcare domain, driven by real-world threats. Compliance professionals and information security experts will need to be prepared for the implementation of these new standards, conducting necessary audits, and ensuring that their organizations meet the minimum cybersecurity requirements as stipulated by the forthcoming legislation.