WASHINGTON, D.C. – Rep. Brian Fitzpatrick (R-PA-01) today was joined by Rep. Jason Crow (D-CO-06) to introduce a bill protecting Americans’ healthcare data from cyberattacks. The bipartisan Healthcare Cybersecurity Act comes as nearly 50 million people in the US had their sensitive health data breached in 2021, a threefold increase in just the last three years. Those breaches have resulted in a 16% increase in the average cost of recovering a patient record in 2020 compared to 2019.

The bill has also been introduced in the US Senate by Senators Jacky Rosen (D-NV) and Bill Cassidy (R-LA).

“46 million Americans had their health data breached in 2021 as a result of a cyberattack," said Rep. Fitzpatrick. "The increasing number of attacks on our hospitals and health centers must be addressed. That is why I am proud to join my colleague Rep. Crow to introduce The Healthcare Cybersecurity Act of 2022 which will create new resources for cybersecurity risk training and promote strong cybersecurity measures across our Nation’s healthcare systems."

“Cyberattacks on our hospitals and health centers are becoming increasingly common and they are driving up our healthcare costs,” said Rep. Crow. “I’m proud to introduce the bipartisan Healthcare Cybersecurity Act with Rep. Fitzpatrick to protect the American people and their data from these malicious attacks.”

“As hospitals and other healthcare organizations across the United States face an onslaught of cyberattacks, we must take proactive steps to enhance information sharing and improve cybersecurity in the healthcare and public health sector,” said Sen. Rosen. “That’s why I introduced the bipartisan Healthcare Cybersecurity Act in the Senate to strengthen cybersecurity protections and protect patient information, and I am glad to see it introduced on a bipartisan basis in the House of Representatives."

Data reported to the Department of Health and Human Services (HHS) shows that almost every month in 2020, more than 1,000,000 people were affected by data breaches at healthcare organizations. Cyberattacks on healthcare facilities rose 55% in 2020.

This crucial legislation begins to address this issue by directing the Cybersecurity and Infrastructure Security Agency (CISA) to collaborate with HHS to improve cybersecurity in the Health Care and Public Health Sector, one of the United States’ sixteen critical infrastructure sectors. Cyberattacks against these entities are increasing in frequency and severity, particularly because they hold large amounts of sensitive patient information and are perceived as vulnerable by malicious actors. Collaboration and information sharing between the public and private sectors is essential to increasing cyber resilience for health-focused entities.

Specifically, the bipartisan Healthcare Cybersecurity Act:

  • Requires CISA and HHS to collaborate, including by entering into an agreement, to improve cybersecurity in the Healthcare and Public Health sector, as defined by CISA.
  • Authorizes cybersecurity training to Healthcare and Public Health sector asset owners and operators on cybersecurity risks and ways to mitigate them. 
  • Requires CISA to conduct a detailed study on specific cybersecurity risks facing the Healthcare and Public Health Sector, including an analysis of how cybersecurity risks specifically impact health care assets, an evaluation of the challenges health care assets face in securing updated information systems, and an assessment of relevant cybersecurity workforce shortages.