Cyberattacks targeting the nation’s critical infrastructure have become increasingly prevalent over the last few years, but, during the coronavirus disease 2019 (COVID-19) pandemic, attacks across all sectors have rapidly accelerated. Greater emphasis on remote work and business operations have created the “perfect storm” for cybercriminals to exploit security flaws within many organizations, especially the health care industry and the vaccine supply chain, which have been disproportionately impacted. Of all data breaches reported in 2020, 24.5% were in the health care sector, by far the highest of any industry, including information technology (IT) and the federal government. The health care sector’s vital mission, particularly during the pandemic, coupled with its dependence on interoperability, data exchange, and connected medical devices has not only made it an especially attractive target for cybercriminals, but the ramifications of such attacks are uniquely disruptive. A found that 70% of hospitals surveyed had experienced a “significant security incident” within the past 12 months, including phishing and ransomware attacks that resulted in the disruption of IT operations (28%) and business functions (27%), as well as data breaches (21%), financial losses (20%), and impact on clinical care (15%).
Some of the factors cited for cybercriminals targeting health care organizations include:
- the wealth of sensitive information and intellectual property,
- potentially life-threatening consequences,
- interdependency and need for data exchange, and
- a reliance on a wide range of medical devices and outdated legacy systems.
Protected health information is also far more lucrative for criminals than credit card information, with criminals receiving roughly $10 to $1,000 per stolen medical record on the black market. Ultimately, public health infrastructure has played a critical role in the safety and security of the nation throughout the COVID-19 pandemic, making this industry an attractive target.
Similarly, attacks on other essential and highly connected organizations in the nation’s critical infrastructure, such as Colonial Pipeline and SolarWinds, have demonstrated just how far-reaching and destabilizing these cybersecurity breaches can be, heightening Washington’s sense of urgency to strengthen United States cybersecurity preparedness. Throughout the first several months of the 117th Congress, lawmakers in both chambers moved swiftly to respond to the rapid rise of cyberattacks. In July, the House of Representatives passed a slew of cyber-related measures, some aimed at funding state and local efforts to prevent future cyber threats while others contained more targeted measures.
The Cyber Sense Act (H.R. 2928) sponsored by US Representative Bob Latta (R-OH) directs the Energy Department to establish a voluntary program to test cybersecurity products and technologies used in the bulk power system. The DHS Industrial Control Systems Capabilities Enhancement Act (H.R. 1833) sponsored by Representative John Katko (R-NY) directs the Cybersecurity and Infrastructure Security Agency (CISA), the agency responsible for protecting federal computer networks from cyberattacks, to coordinate closely with Sector Risk Management Agencies, including the US Department of Health and Human Services (HHS), to protect against threats to industrial control systems.
On the Senate side, lawmakers are taking cyber-related legislation a step further. At the end of July, a group of bipartisan lawmakers led by Senate Select Intelligence Committee leaders Senators Mark R. Warner (D-VA) and Marco Rubio (R-FL) introduced the Cyber Incident Notification Act of 2021 (S. 2407), which would require “covered entities,” including cybersecurity firms, federal government contractors, and certain private companies that own or operate critical infrastructure, to alert CISA of a “cybersecurity intrusion” within 24 hours and provide notice of new information within 72 hours of discovery.
To implement this cyber incident reporting system, CISA would be required to promulgate an interim final rule establishing key provisions, such as which covered entities would be subject to the reporting requirements, what events would qualify as “cybersecurity intrusions,” and what information would need to be supplied in the notification. The Act also directs CISA to develop procedures for analyzing the cybersecurity incident(s) to assess the impact, identify potential sources, and advise on remediation efforts. Thus, many of the details of the cybersecurity program have yet to be determined but there are some relative certainties. For example, the Act stipulates that “covered entities” would be determined based on CISA’s assessment of the potential risks posed to critical infrastructure disruption and “cybersecurity intrusions” would include any events with the potential to harm public health, signaling that these reporting requirements are likely to impact how health care organizations respond to cyber threats. To incentivize compliance and cooperation, the Act would also provide some welcome liability protections for covered entities. Cybersecurity notifications provided by covered entities to CISA would be exempt from disclosure under the Freedom of Information Act (FOIA), and such information would be barred from being admitted as evidence in any civil or criminal action or as part of a subpoena unless issued by Congress.
Given Washington’s urgency to address the nation’s cybersecurity vulnerabilities and the significant impact these reporting requirements may have on critical infrastructure operators, including health care organizations, S. 2407 will be legislation to watch closely as it moves through the committee process. The Biden Administration and Department of Justice officials have previously signaled their support for mandated cyber incident reporting, and Congress will look to give agencies the statutory authority to do so in the wake of these increased cyberattacks. As one of the few issues receiving strong bipartisan support in 2021, cybersecurity legislation is expected to continue to advance when both chambers of Congress return to Washington in the fall.