A new bill could change cybersecurity in health care, but does it take the right approach?

Cybersecurity breaches in the health care sector are more than IT failures—they’re crises that disrupt patient care, delay treatments, and cause severe financial hardship. The need for robust cybersecurity legislation has never been more urgent. The Cybersecurity and Resiliency Act (HCCRA) of 2024 is a proposed bipartisan bill aimed at enhancing cybersecurity resilience across the health care sector. Its focus includes improving coordination between federal agencies, establishing updated cybersecurity standards, increasing breach reporting transparency, and providing financial support to resource-constrained health care providers such as rural hospitals.

HCCRA also seeks to address critical issues that have allowed cybercriminals to exploit health care organizations, resulting in operational disruptions, delayed patient care, and even bankruptcy in severe cases. Senators Bill Cassidy, MD (R-La.), Mark Warner (D-Va.), John Cornyn (R-Texas), and Maggie Hassan (D-N.H.), members of a health care cybersecurity working group, developed the bill based on industry insights and recommendations.

Unlike the previously proposed Health Infrastructure Security and Accountability Act (HISAA), HCCRA takes a different legislative approach. It avoids imposing tiered monetary fines, independent audits, and CISO/CEO attestations of compliance. It also refrains from enforcing criminal penalties for reporting errors or requiring entities to pay enforcement oversight fees. Instead, the HCCRA focuses on supporting health care organizations by providing grants and fostering technical partnerships.

However, while HCCRA includes many promising provisions, there are several areas where it could be strengthened to better meet the complex cybersecurity challenges we face in the health care sector. This article explores key sections of the bill, identifying both its potential impact and areas for improvement.

Enhancing cybersecurity standards and transparency

HCCRA takes significant steps toward improving cybersecurity standards by requiring HHS to provide clear guidance on implementing recognized security practices as defined in Section 13412 of the HITECH Act. This provision ensures that health care organizations understand how their cybersecurity investments will be evaluated during audits or regulatory assessments.

Enhancing recognition of security practices

The bill mandates that HHS issue specific guidance on processes for submitting, evaluating, and reporting on the adoption of recognized cybersecurity practices, including the NIST Cybersecurity Framework (CSF) and the 405(d) Health Industry Cybersecurity Practices (HICP). Within two years, HHS must also submit a comprehensive report detailing how these practices were considered during audits and in assessing potential fines.

This requirement brings much-needed transparency and accountability to the evaluation process. Historically, the application of recognized security practices has been inconsistent, creating uncertainty for health care providers. By formalizing how these practices will be assessed, HCCRA incentivizes health care organizations to make cybersecurity investments with greater confidence that these efforts will be acknowledged and rewarded.

By clarifying evaluation criteria, HHS can promote a more predictable regulatory environment, reducing ambiguity about how compliance will be determined and enabling organizations to better align their security programs with federal expectations.

Requiring updated cybersecurity standards

HCCRA further directs HHS to update privacy, security, and breach notification regulations outlined in 45 CFR parts 160 and 164 (or their successors). These updates would require covered entities and business associates to adopt essential cybersecurity practices, including:

• Multifactor Authentication: Strengthening access control through identity verification protocols.
• Data Encryption: Securing sensitive information both in transit and at rest.
• Regular Audits and Penetration Testing: Conducting routine security assessments to identify and remediate vulnerabilities.

HHS would also be tasked with establishing reasonable deadlines for compliance, ensuring organizations have clear timelines for implementing these enhanced protections.

Updating cybersecurity standards is both timely and necessary, particularly given HHS’s earlier indications that HIPAA Security Rule updates were forthcoming. The HCCRA codifies these anticipated changes into law, reinforcing HHS’s authority to require compliance with modern cybersecurity protocols.

Additionally, this directive comes in the context of the June 28, 2024, Loper Supreme Court decision, which overturned the longstanding Chevron doctrine. With this change, courts must now exercise independent judgment when determining whether agencies have acted within their statutory authority. By establishing specific cybersecurity standards through legislation, HCCRA minimizes potential legal challenges from industry groups and ensures that regulatory updates are backed by clear legislative intent.

By combining transparency in evaluating security practices with updated compliance standards, HCCRA sets a robust foundation for healthcare organizations striving to meet modern cybersecurity demands.

Distinguishing between negligence and good-faith efforts

Health care organizations face varying levels of cybersecurity preparedness, with some struggling due to limited resources despite good-faith efforts to secure their systems. HCCRA acknowledges this challenge by emphasizing the adoption of recognized cybersecurity frameworks such as the NIST Cybersecurity Framework (CSF) and the 405(d) Health Industry Cybersecurity Practices (HICP).

The bill supports organizations making genuine efforts by offering grants for critical cybersecurity improvements, including upgrading outdated IT systems, migrating to cloud platforms, and hiring dedicated IT security staff. This approach aligns with industry standards while allowing resource-constrained providers to meet compliance expectations gradually.

By defining clear, standards-based expectations while supporting improvement through federal grants, HCCRA provides a framework that distinguishes between organizations taking proactive steps and those failing to meet baseline security standards.

Incentivizing security improvements through federal funding

A core component of HCCRA is its federal grant program designed to help health care providers strengthen their cybersecurity infrastructure. Eligible providers, including rural hospitals, academic health centers, and nonprofit health care organizations, can apply for grants to fund projects such as:

• Hiring cybersecurity professionals
• Upgrading IT infrastructure and electronic health record systems
• Reducing legacy vulnerabilities
• Participating in cyber threat-sharing organizations

Receiving funds requires organizations to implement best practices defined by recognized frameworks like the NIST CSF and 405(d) HICP. This provision ensures that grant-supported improvements align with broader national cybersecurity goals and HIPAA compliance requirements.

HCCRA’s flexible funding model helps providers to address their most pressing risks while encouraging long-term resilience through security investments.

Strengthening oversight and coordination

The bill calls for improved coordination between HHS and the Cybersecurity and Infrastructure Security Agency (CISA). It designates the Administration for Strategic Preparedness and Response (ASPR) as the lead cybersecurity risk management agency for healthcare. ASPR would oversee cybersecurity operations, share threat intelligence, and ensure sector-wide readiness.

By expanding information-sharing and clarifying federal roles, HCCRA aims to strengthen inter-agency collaboration, making threat alerts more timely and actionable.

Building a skilled cybersecurity workforce

To address the health care sector’s persistent cybersecurity talent shortage, HCCRA mandates national workforce development initiatives. These include training programs for health care IT and cybersecurity staff, as well as partnerships between public and private organizations to create a talent pipeline.

While these measures are a positive step, additional funding for certification programs could further expand the cybersecurity talent pool, enabling health care organizations to build sustainable cybersecurity teams.

Conclusion

The Health Care Cybersecurity and Resiliency Act of 2024 offers a comprehensive strategy for strengthening health care cybersecurity. Its combination of federal funding, updated security standards, improved oversight, and workforce development provides a strong foundation for a more resilient health care sector.

However, incorporating a tiered compliance model and expanding certification-based training programs could enhance its long-term effectiveness. By fostering collaboration among policymakers, health care providers, and cybersecurity professionals, HCCRA has the potential to reshape the health care sector’s cybersecurity landscape while protecting patient safety and operational stability.

The Cybersecurity and Resiliency Act of 2024 presents a well-rounded approach to strengthening healthcare cybersecurity through a combination of regulatory updates, federal grants, and improved inter-agency coordination. By requiring HHS to provide specific guidance on evaluating recognized security practices, HCCRA promotes greater transparency, enabling health care providers to align their security efforts with clear regulatory expectations.

The bill’s emphasis on adopting cybersecurity standards such as multifactor authentication, encryption, and continuous monitoring ensures that health care organizations stay ahead of evolving threats. Additionally, requiring HHS to codify these standards into law minimizes potential legal challenges, helping create a more predictable regulatory environment.

If enacted, HCCRA could reshape health care cybersecurity policy by reinforcing transparency, accountability, and sector-wide resilience—helping ensure that cybersecurity investments translate into more secure health care operations, reduced disruptions, and better patient care.

Steve Cagle is the CEO of Clearwater.