Bill Overview
Title: Healthcare Cybersecurity Act of 2022
Description: This bill requires the Cybersecurity and Infrastructure Security Agency (CISA) to undertake activities to improve the cybersecurity of the health care and public health sector. Specifically, CISA must collaborate with the Department of Health and Human Services (HHS) to improve cybersecurity in that sector. This includes making resources, including cyber-threat indicators and appropriate defense measures, available to federal and nonfederal entities that receive information through HHS programs. In addition, CISA must provide training on cybersecurity risks and mitigation strategies to owners of assets in the health care and public health sector. CISA must also conduct a study on cybersecurity risks in the health care and public health sector. The study must address, among other topics, the impact of the risks on rural entities and small- and medium-sized entities, cybersecurity workforce shortages in the sector, and challenges related to the COVID-19 emergency.
Sponsors: Rep. Crow, Jason [D-CO-6]
Target Audience
Population: Individuals whose data is managed by the healthcare and public health sector
Estimated Size: 332000000
- The bill addresses the cybersecurity of the healthcare and public health sector, affecting all individuals whose personal and medical data is held by healthcare providers, public health services, and associated entities.
- Given that healthcare providers serve the entire population, anyone receiving medical care, treatment, or public health services could be indirectly affected by improvements in cybersecurity.
- Cybersecurity improvements help protect sensitive personal and health information from breaches, which could impact individuals globally who receive data protection due to collaborations facilitated by the bill.
Reasoning
- The Healthcare Cybersecurity Act of 2022 primarily impacts entities that handle healthcare data, including hospitals, clinics, and public health institutions. It also indirectly affects all patients and staff of these entities due to the increased safeguarding of personal data.
- Wellbeing impacts of the policy might not be immediately perceptible to most individuals, as they relate to the prevention of cybersecurity breaches rather than tangible daily benefits. The psychological comfort of increased data protection may, however, improve long-term wellbeing slightly.
- Certain population sectors, like IT and cybersecurity professionals in healthcare, may experience higher policy impact due to increased training, resources, and employment opportunities. Patients, on the other hand, might only perceive benefits through the avoidance of data breaches.
- Given budget constraints, the impact in the first year would likely involve initial assessments, training, and implementation of cybersecurity measures, with more significant expansions and improvements seen over the decade.
Simulated Interviews
Healthcare Administrator (New York, NY)
Age: 34 | Gender: female
Wellbeing Before Policy: 7
Duration of Impact: 4.0 years
Commonness: 5/20
Statement of Opinion:
- Improving cybersecurity is essential, especially as we rely more on digital records.
- Having CISA and HHS involved gives me confidence that our hospital's systems will become more secure.
- I'm concerned about the implementation costs on smaller hospitals like ours.
Wellbeing Over Time (With vs Without Policy)
| Year | With Policy | Without Policy |
|---|---|---|
| Year 1 | 7 | 6 |
| Year 2 | 7 | 6 |
| Year 3 | 8 | 6 |
| Year 5 | 8 | 6 |
| Year 10 | 8 | 5 |
| Year 20 | 7 | 5 |
Patient (Los Angeles, CA)
Age: 45 | Gender: male
Wellbeing Before Policy: 5
Duration of Impact: 3.0 years
Commonness: 8/20
Statement of Opinion:
- Data breaches are terrifying; I want my information to be secure.
- Data privacy should be a priority for healthcare providers.
Wellbeing Over Time (With vs Without Policy)
| Year | With Policy | Without Policy |
|---|---|---|
| Year 1 | 5 | 4 |
| Year 2 | 6 | 4 |
| Year 3 | 6 | 3 |
| Year 5 | 6 | 3 |
| Year 10 | 6 | 2 |
| Year 20 | 5 | 2 |
Cybersecurity Analyst (Austin, TX)
Age: 29 | Gender: female
Wellbeing Before Policy: 8
Duration of Impact: 6.0 years
Commonness: 4/20
Statement of Opinion:
- This policy is a win-win for both patients and cybersecurity professionals.
- Increased training and resources will enhance my skills and job security.
Wellbeing Over Time (With vs Without Policy)
| Year | With Policy | Without Policy |
|---|---|---|
| Year 1 | 8 | 8 |
| Year 2 | 9 | 8 |
| Year 3 | 9 | 7 |
| Year 5 | 9 | 7 |
| Year 10 | 9 | 6 |
| Year 20 | 7 | 5 |
General Practitioner (Rural Oklahoma)
Age: 62 | Gender: male
Wellbeing Before Policy: 6
Duration of Impact: 5.0 years
Commonness: 6/20
Statement of Opinion:
- I worry about the complexity of implementing new cybersecurity measures.
- Support from CISA and HHS could really help small practices like mine.
Wellbeing Over Time (With vs Without Policy)
| Year | With Policy | Without Policy |
|---|---|---|
| Year 1 | 6 | 6 |
| Year 2 | 7 | 5 |
| Year 3 | 7 | 5 |
| Year 5 | 8 | 5 |
| Year 10 | 7 | 4 |
| Year 20 | 6 | 3 |
Nurse (Chicago, IL)
Age: 50 | Gender: female
Wellbeing Before Policy: 6
Duration of Impact: 5.0 years
Commonness: 10/20
Statement of Opinion:
- Our hospital's system was once held hostage by a cyber attack, so more security is vital.
- It's reassuring to know that there are efforts to protect our patients' data.
Wellbeing Over Time (With vs Without Policy)
| Year | With Policy | Without Policy |
|---|---|---|
| Year 1 | 6 | 6 |
| Year 2 | 7 | 6 |
| Year 3 | 7 | 5 |
| Year 5 | 7 | 5 |
| Year 10 | 7 | 4 |
| Year 20 | 6 | 4 |
IT Director of Healthcare Startup (San Francisco, CA)
Age: 39 | Gender: male
Wellbeing Before Policy: 7
Duration of Impact: 5.0 years
Commonness: 3/20
Statement of Opinion:
- While security is important, I'm concerned we might be overwhelmed by compliance requirements.
- Efficient implementation is key to not stifle innovation in healthcare technology.
Wellbeing Over Time (With vs Without Policy)
| Year | With Policy | Without Policy |
|---|---|---|
| Year 1 | 7 | 7 |
| Year 2 | 7 | 6 |
| Year 3 | 8 | 5 |
| Year 5 | 8 | 4 |
| Year 10 | 8 | 3 |
| Year 20 | 7 | 3 |
Medical Student (Boston, MA)
Age: 22 | Gender: other
Wellbeing Before Policy: 6
Duration of Impact: 6.0 years
Commonness: 8/20
Statement of Opinion:
- It's crucial to understand how patient data is protected as future healthcare providers.
- Policies like these shape how we will practice and deliver care.
Wellbeing Over Time (With vs Without Policy)
| Year | With Policy | Without Policy |
|---|---|---|
| Year 1 | 6 | 6 |
| Year 2 | 7 | 6 |
| Year 3 | 7 | 5 |
| Year 5 | 7 | 5 |
| Year 10 | 8 | 5 |
| Year 20 | 7 | 4 |
Insurance Agent (Miami, FL)
Age: 46 | Gender: male
Wellbeing Before Policy: 6
Duration of Impact: 2.0 years
Commonness: 9/20
Statement of Opinion:
- Cybersecurity in healthcare indirectly affects the insurance industry too.
- Protecting client data should be a top priority.
Wellbeing Over Time (With vs Without Policy)
| Year | With Policy | Without Policy |
|---|---|---|
| Year 1 | 6 | 6 |
| Year 2 | 6 | 5 |
| Year 3 | 6 | 5 |
| Year 5 | 7 | 5 |
| Year 10 | 7 | 4 |
| Year 20 | 6 | 3 |
Healthcare Advocate (Houston, TX)
Age: 55 | Gender: female
Wellbeing Before Policy: 7
Duration of Impact: 7.0 years
Commonness: 7/20
Statement of Opinion:
- This policy is a step towards ensuring patients' rights to privacy.
- Cybersecurity in healthcare is an expanding field that needs solid policies.
Wellbeing Over Time (With vs Without Policy)
| Year | With Policy | Without Policy |
|---|---|---|
| Year 1 | 7 | 7 |
| Year 2 | 8 | 7 |
| Year 3 | 9 | 6 |
| Year 5 | 9 | 6 |
| Year 10 | 8 | 5 |
| Year 20 | 7 | 4 |
Tech Entrepreneur (Seattle, WA)
Age: 30 | Gender: female
Wellbeing Before Policy: 6
Duration of Impact: 5.0 years
Commonness: 4/20
Statement of Opinion:
- Cybersecurity is a fundamental concern for sustainable innovation in health tech.
- Reliable cybersecurity measures can enhance trust and adoption of new technologies.
Wellbeing Over Time (With vs Without Policy)
| Year | With Policy | Without Policy |
|---|---|---|
| Year 1 | 6 | 6 |
| Year 2 | 7 | 5 |
| Year 3 | 8 | 5 |
| Year 5 | 8 | 5 |
| Year 10 | 8 | 4 |
| Year 20 | 7 | 3 |
Cost Estimates
Year 1: $100000000 (Low: $80000000, High: $120000000)
Year 2: $95000000 (Low: $75000000, High: $115000000)
Year 3: $90000000 (Low: $70000000, High: $110000000)
Year 5: $85000000 (Low: $65000000, High: $105000000)
Year 10: $80000000 (Low: $60000000, High: $100000000)
Year 100: $80000000 (Low: $60000000, High: $100000000)
Key Considerations
- The direct costs to federal agencies like CISA depend on the specifics of the collaborative initiatives and how they leverage existing resources.
- The costs could vary regionally, particularly in reaching small, medium, and rural healthcare entities which may require tailored solutions.
- Efficacy of cybersecurity measures contributes to consumer confidence, potentially lifting economic activity and tax revenues indirectly.