The U.S. Senate recently passed a cybersecurity bill, the ”Strengthening American Cybersecurity Act,” which requires critical sectors, including potentially the health care industry, to notify the government if they are a victim of a cyberattack or ransomware. The bill is a result of several high-profile cyber events that took place in the last year or so, further accelerated by the recent Russia-Ukraine war and the increased threat of cyberattacks.
In 2021, for example, hackers targeted SolarWinds, a major software company, by deploying malicious code into its monitoring and management software which is used by thousands of enterprises and government agencies worldwide. Colonial Pipeline, the largest petroleum pipeline in the country, was the target of ransomware by a criminal hacker group in Eastern Europe. The hack caused the pipeline to go down for several days, causing gas panic-buying, shortages, and price spikes in some states.
In both these cases and other high-profile attacks, victims often were unclear about which federal agency to contact. In some cases, victims called the FBI, while others alerted the Treasury Department or other agencies.
The bill would require critical infrastructure owners and operators to report to the Cybersecurity and Infrastructure Security Agency (CISA) within 72 hours if they are experiencing a substantial cyberattack and within 24 hours if they make a ransomware payment. It would also help the U.S. government coordinate responses in a timely manner.
Potential Health Care Sector Impact
According to the Senate bill, the types of critical infrastructure organizations covered by the legislation include entities for which a cybersecurity disruption or compromise could cause consequences to national security, economic security, or public health and safety. How this will impact the health care industry remains to be seen. For example, a hospital that is attacked by ransomware which shuts down its entire record system would likely fall under the bill’s mandate.
According to privacy attorney David Holtzman, principal at HITPrivacy, the legislation could apply to any health care organization that maintains an information system accessible to the internet, as well as a vendor to a health care organization that has electronic access to the entity’s information system or data. “The bill passed by the Senate does not exempt HIPAA-covered entities or their business associates from the obligations to report cybersecurity incidents or ransomware payments,” he says. “The legislation also does not preempt or modify the existing HIPAA breach reporting requirements established in the HITECH Act.” Entities and their business associates covered under HIPAA are required to report breaches of PHI (personal health information) affecting 500 or more individuals within 60 days.
We will continue to keep our eye on this bill and any cybersecurity legislation signed by President Biden and the impact it could have on the health care industry. Manchester Specialty Programs specialize in providing agents and brokers with totally integrated business insurance solutions to meet the needs of Home Care, Allied Health, and Human/Social Services organizations. For more information about how our products and services can help protect your insureds and how we recognize accredited firms, please contact us at 855.972.9399.
Sources: Roll Call, H-ISAC