As healthcare policy takes center stage, recently enacted cybersecurity legislation is poised to redefine patient privacy and data security. At the forefront of these changes are the Healthcare Cybersecurity Act of 2024 and the Health Infrastructure Security and Accountability Act of 2024, passed in 2024 and took effect in January 2025. These laws aim to address the evolving threats to sensitive health information and ensure stronger patient protection.
Cybercriminals target healthcare organizations daily, seeking to exploit sensitive data, including medical histories, insurance details, and even genomic information. The new legislation tackles these challenges from multiple angles: one act focuses on strengthening infrastructure and federal coordination to prevent breaches. At the same time, the other emphasizes privacy and accountability by holding organizations to higher standards. These policies provide a roadmap for protecting patient data in an increasingly digital and interconnected healthcare landscape.
Why Healthcare?
Healthcare is an especially lucrative target for cybercriminals due to the high value of medical data in the underground market. Unlike credit card information, which can be quickly canceled once compromised, medical records are permanent and can be exploited for years. Health records often contain a wealth of information – social security numbers, insurance details, medical histories, and even genomic data – that can be used for identity theft, insurance fraud, or creating fake medical claims.
Additionally, in the face of a ransomware attack, the critical nature of healthcare services makes organizations more likely to pay hefty extortions to restore access to their systems swiftly, as disruptions can negatively impact patient care. The combination of valuable data and high-stakes urgency makes the healthcare sector a prime target for cyberattacks.
While HIPAA established foundational standards for protecting patient data, it primarily focuses on privacy and compliance rather than proactively defending against sophisticated cyber threats. Healthcare organizations struggle to keep pace with advances in hacking techniques, leaving critical gaps in their security infrastructure.
Strengthening Infrastructure
The Healthcare Cybersecurity Act of 2024 addresses the alarming rise in cyberattacks targeting healthcare facilities. Between 2018 and 2022, cyber breaches in healthcare nearly doubled, compromising sensitive patient information and threatening the continuity of care. This legislation emphasizes a coordinated federal approach to enhance cybersecurity in the healthcare sector.
The act tackles the growing threat of cyberattacks by emphasizing a coordinated federal response. Central to the legislation is a partnership between the Cybersecurity and Infrastructure Security Agency (CISA) and the Department of Health and Human Services (HHS). This collaboration is designed to provide the healthcare sector with the tools, strategies, and expertise to combat evolving cyber threats effectively.
These agencies will develop targeted cybersecurity strategies to protect critical healthcare assets. The goal is to provide technical assistance and training to healthcare providers, with special attention to small and rural entities with limited resources. Additionally, CISA and HHS will share cyber threat intelligence to enhance incident response and situational awareness across the sector.
This new emphasis on sharing intelligence is crucial. By establishing formal channels for real-time communication between the federal government and healthcare organizations, the legislation ensures that vital information about threats can be quickly and effectively shared. This collaborative exchange enables providers to respond swiftly to emerging threats, reducing the potential impact of attacks. For example, if one hospital detects malicious activity, details about attack vectors and effective mitigation strategies can immediately be shared with others, allowing for preemptive actions across the sector.
Focusing on Privacy and Accountability
The Healthcare Cybersecurity Act, the Health Infrastructure Security and Accountability Act of 2024 (HISAA), complements the HIPAA and centers on protecting individual patient privacy by implementing more stringent accountability measures. Building on the foundation of earlier regulations like HIPAA, HISAA introduces more rigorous requirements to address the modern threat landscape.
For example, HISAA mandates regular risk assessments to identify and address security gaps within healthcare organizations. These assessments must be submitted to HHS for review, ensuring transparency and regulatory oversight. HISAA imposes significant financial penalties for lapses to enforce compliance, with fines reaching up to $5,000 per day and no cap on the total amount. This level of accountability sends a clear message that cybersecurity is no longer optional but essential.
Beyond fines, HISAA introduces criminal penalties for false compliance reporting, underscoring the gravity of cybersecurity responsibilities. These measures ensure that healthcare executives and leaders remain accountable for the security of the sensitive data they manage.
HISAA also recognizes the challenges faced by smaller providers and rural facilities, offering tailored protocols to help them meet compliance standards. For instance, HISAA encourages the adoption of virtual chief information security officers (vCISOs)-- external experts who provide cybersecurity guidance on a flexible, as-needed basis. The vCISO approach enables smaller organizations to access high-level expertise without the financial burden of hiring full-time, in-house security officers. These external, part-time experts can help organizations remain compliant and secure without breaking the bank.
Thankfully, HISAA also provided $1.3 billion in funding to help hospitals implement much-needed cybersecurity improvements. Over two years, $800 million was earmarked for 2,000 rural and urban safety net hospitals to help them adopt cybersecurity standards, and $500 million was allocated for all hospitals to encourage them to adopt enhanced cybersecurity practices. Cybersecurity professionals will wait to see what survives the new administration’s budget cuts.
Building a Unified Framework
The Healthcare Cybersecurity Act and HISAA create a comprehensive framework that tackles prevention and accountability. While the Healthcare Cybersecurity Act focuses on reinforcing systems to thwart cyberattacks, HISAA seeks to ensure that organizations handling patient data remain transparent and proactive in their defense strategies.
These policies set the stage for a safer and more accountable healthcare system and reassure patients that their most sensitive information is being protected in an increasingly digital world. These policies represent regulatory progress and a necessary shift toward building trust and resilience in the face of evolving threats.
However, there is still much work to be done. Implementation will require significant investment in technology and workforce training, particularly for smaller and under-resourced providers. Ongoing collaboration among healthcare organizations, government agencies, and cybersecurity experts will be essential to keep pace with rapidly evolving threats and ensure these laws achieve their intended goals.
