Will Congress’ new cybersecurity bills prevent the next Change Healthcare incident?

After billions of dollars in damages and weeks of administrative delays across the healthcare industry, the Change Healthcare cybersecurity attack has been burned into the history books as one of the most devastating digital events of the era. 

There is typically a sort of silver lining to these events, however: in the wake of a major data breach, other organizations usually get so rattled that they dump as much time and money as possible into analyzing their own weaknesses and bulking up their defenses, hoping to avoid being the next national news headline.

This time, industry stakeholders aren’t the only ones taking the ongoing threat of ransomware and other cybercrimes very seriously. Congress is also getting involved. After a series of very pointed hearings, both the House and the Senate introduced bills to assist providers, payers, and other partners with managing the cybersecurity landscape. 

The two bipartisan companion bills will foster collaboration across government departments, specifically by directing the Cybersecurity and Infrastructure Security Agency (CISA) and the Department of Health and Human Services (HHS) to make additional resources available to non-federal entities related to cyber threat indicators and defense measures. 

The pending legislation would also create a “special liaison” to HHS within CISA to help coordinate responses during cybersecurity incidents and support both the healthcare and public health sectors if affected by an event.  

“Hospitals and health centers are fundamental pillars of our nation’s infrastructure. With the alarming rise in malicious cyberattacks causing critical data breaches, increased healthcare costs, and jeopardized patient health, we cannot delay action in addressing this issue. By providing new resources for cybersecurity risk training and fortifying our cybersecurity protections nationwide, our bipartisan legislation takes decisive action to safeguard our healthcare systems and protect lives,” said Rep. Brian Fitzpatrick (R-PA-01). 

Noting that ransomware and other cybercrimes can have a particularly harsh impact on rural communities with limited care options, Senator Angus King (I-ME), added, “These attacks and breaches of data can literally mean the difference between life and death for patients, significantly impact hospital operations, and — with the average hack costing millions to address — increase healthcare prices across the board. The bipartisan Healthcare Cybersecurity Act will take important steps toward protecting patients’ data and healthcare provider capabilities, and bolstering our cybersecurity infrastructure and response.” 

While the bills are a welcome first step toward a more cohesive response from the top when bad actors manage to get in the door, and the promised resources for education and response are likely to be helpful to some degree, the federal government only has a limited ability to make a real difference in the broader cybersecurity landscape – at least without additional regulation, incentives, and penalties. 

In our distributed, fragmented, and highly privatized healthcare system, it’s largely up to individual organizations to adequately secure their data and lock down vulnerabilities in their infrastructure.   

That means proactively investing in leading-edge privacy and security tools, consistently choosing the most stringent interpretations of HIPAA (not the ones that will allow the organization to just scrape by in compliance), and regularly educating end-users on the dangers of phishing, smishing, vishing, and all the other “-ishings” that let a bad actor inside. 

Fortunately, more and more healthcare stakeholders are turning their attention to prevention in addition to building up their response plans.  A recent report from Bain & Company and KLAS Research found that investment in cybersecurity infrastructure is on the rise after the Change Healthcare fiasco, particularly among those who were burned during the event and don’t wish to experience similar circumstances again. 

This trend will need to continue across the entire care continuum, including among technology companies, device manufacturers, managed service providers, cloud storage providers, life science entities, and all the other multitudinous entities that touch the core of the provider and payer landscape. 

Only with truly concerted collaboration and a preventive approach to cybersecurity vigilance will the healthcare industry be able to contain the sky-high costs of data breaches while reducing the serious negative impact of breaches on the people it serves. 

Jennifer Bresnick is a journalist and freelance content creator with a decade of experience in the health IT industry.  Her work has focused on leveraging innovative technology tools to create value, improve health equity, and achieve the promises of the learning health system.  She can be reached at jennifer@inklesscreative.com.