Nevada’s Rosen aims to protect hospitals from Russian cyberattacks
March 24, 2022 - 9:00 am
Updated March 24, 2022 - 5:14 pm
Nevada Democratic Sen. Jacky Rosen and Republican Louisiana Sen. Bill Cassidy late Wednesday introduced bipartisan legislation aimed at protecting hospitals and the health care sector from potential Russian cyberattacks.
The Healthcare Cybersecurity Act would direct the Cybersecurity and Infrastructure Security Agency to collaborate with the Department of Health and Human Services to bolster cybersecurity in the health care and public health sector, according to Rosen’s office.
“Hospitals and health centers are part of our critical infrastructure and increasingly the targets of malicious cyberattacks, which can result in data breaches, the cost of care being driven up, and negative patient health outcomes,” Rosen said in a statement. “This bipartisan bill will help strengthen cybersecurity protections and protect lives.”
The bill’s introduction comes after President Joe Biden and his administration earlier this week urged American companies to take immediate action to harden their cyber defenses “based on evolving intelligence that the Russian government is exploring options for potential cyberattacks.” According to a new POLITICO analysis of Health and Human Services data, nearly 50 million people in the U.S. had their sensitive health data breached in 2021, a threefold increase in just the last three years.
In addition to requiring collaboration between the federal agencies, the legislation would authorize cybersecurity training for healthcare and public health care entities on cybersecurity risks and ways to mitigate them.
It also would require the Cybersecurity and Infrastructure Security Agency to conduct a detailed study of specific risks and their impacts, challenges in updating information systems and cybersecurity workforce shortages.
The bill does not authorize any additional funding to implement these measures, said Joe Bush, Rosen’s press secretary.
Hospitals ‘under attack for years’
Cyberattacks on hospitals, including those in Southern Nevada, are not new.
“While the war in Ukraine may have elevated the threat level, the fact is that our hospitals have been under attack for years,” said Brett Callow, a threat analyst for cybersecurity firm Emsisoft. “And they still are under attack, with at least four having been hit by ransomware already this year.”
He said hospitals need to identify areas where they may not have implemented best practices and take corrective action as soon as possible.
“Unless we find ways to improve security in the healthcare sector, it’s only a matter of time before an attack costs somebody their life. In fact, that may already have happened,” Callow said in an email.
He pointed to a lawsuit alleging that a 2019 ransomware attack on Mobile, Ala.-based Springhill Medical Center resulted in a baby’s death.
The facility shut down its network for nearly eight days because of a ransomware attack. Patient records were inaccessible, and medical staff were cut off from equipment used to monitor fetal heartbeats, according to the Wall Street Journal.
The lawsuit was filed by the mother of an infant girl born with the umbilical cord wrapped around her neck, cutting off the supply of blood and oxygen. Normally, the condition triggers warning signs on a heart monitor.
The baby suffered severe brain damage and died nine months later.
Cyber attacks on local hospitals
The legislation was welcomed by Mason Van Houweling, CEO of University Medical Center in central Las Vegas.
“As a recent victim of a cybersecurity attack, we understand the importance of collaborating with various agencies to safeguard valuable information through education, mitigation and additional resources,” he said.
In June of last year, UMC confirmed a criminal data breach after a notorious hacker group began posting personal information purportedly obtained in a cyberattack.
UMC acknowledged that cybercriminals had accessed a server used to store data, including protected health information.
Universal Health Services, which operates Valley Health System hospitals in Southern Nevada, said it shut down its computer networks across the U.S. following a cyberattack on Sept. 27, 2020. It was two weeks before the computer networks were restored.
“Health centers save lives and hold a lot of sensitive, personal information. This makes them a prime target for cyber-attacks,” said Cassidy, the Louisiana senator and a physician. “This bill protects patients’ data and public health by strengthening our resilience to cyber warfare.”
A previous version of this story incorrectly stated that the bill would be introduced Thursday.
Contact Mary Hynes at mhynes@reviewjournal.com or 702-383-0336. Follow @MaryHynes1 on Twitter.