Bill Overview
Title: Healthcare Cybersecurity Act of 2022
Description: This bill requires the Department of Health and Human Services (HHS) to undertake activities to improve the cybersecurity of the health care and public health sector. HHS must coordinate with the Cybersecurity and Infrastructure Security Agency (CISA) on these activities; in particular, CISA must make resources, including cyber-threat indicators and appropriate defense measures, available to federal and nonfederal entities that receive information through HHS programs. In addition, HHS must provide training on cybersecurity risks and mitigation strategies to owners of assets in the health care and public health sector. HHS must also update the Healthcare and Public Health Sector Specific Plan, which guides the sector's effort to enhance the security and resilience of critical infrastructure. The updates must address, among other topics, the impact of the risks on rural entities and small- and medium-sized entities, cybersecurity workforce shortages in the sector, and challenges related to the COVID-19 emergency.
Sponsors: Sen. Rosen, Jacky [D-NV]
Target Audience
Population: People who access healthcare services
Estimated Size: 330000000
- The bill targets the healthcare and public health sector.
- Cybersecurity in healthcare affects patients, medical professionals, and healthcare administrators.
- Improvements in healthcare cybersecurity will impact anyone who uses or trusts healthcare entities with their personal and health-related data, which is potentially everyone who accesses healthcare services.
- Globally, this could potentially impact billions of people, given the widespread use of health services worldwide.
Reasoning
- The policy primarily targets the healthcare sector, particularly focusing on cybersecurity. This includes hospitals, private practices, clinics, and health insurance providers.
- The policy aims to improve the security of healthcare data, which is crucial for all patients and entities involved.
- Given the budget constraints, not every healthcare entity will be able to benefit fully from the policy, particularly smaller or rural healthcare providers.
- Interviewing individuals involved in different facets of healthcare allows us to assess the varied impacts, including those who may not directly benefit, such as individuals in unaffected sectors or larger urban centers where resources are already more robustly allocated.
- Each individual's current Cantril wellbeing and their projected wellbeing changes will vary, given their initial context and how much they are directly affected by cybersecurity improvements.
Simulated Interviews
Healthcare IT Administrator (New York, NY)
Age: 45 | Gender: female
Wellbeing Before Policy: 6
Duration of Impact: 20.0 years
Commonness: 3/20
Statement of Opinion:
- I feel this policy is long overdue. Our systems are frequently under threat, and we need better cybersecurity measures in place.
- Collaborating with CISA will bring expertise that's currently missing.
Wellbeing Over Time (With vs Without Policy)
| Year | With Policy | Without Policy |
|---|---|---|
| Year 1 | 7 | 6 |
| Year 2 | 7 | 6 |
| Year 3 | 7 | 5 |
| Year 5 | 8 | 5 |
| Year 10 | 8 | 5 |
| Year 20 | 9 | 4 |
General Practitioner (Atlanta, GA)
Age: 34 | Gender: male
Wellbeing Before Policy: 7
Duration of Impact: 15.0 years
Commonness: 2/20
Statement of Opinion:
- Cybersecurity is always a risk, and this policy could help protect patient data.
- However, I'm concerned about implementation costs for small practices like mine.
Wellbeing Over Time (With vs Without Policy)
| Year | With Policy | Without Policy |
|---|---|---|
| Year 1 | 8 | 7 |
| Year 2 | 8 | 6 |
| Year 3 | 9 | 6 |
| Year 5 | 9 | 5 |
| Year 10 | 8 | 4 |
| Year 20 | 8 | 4 |
Hospital Administrator (Rural Kansas)
Age: 52 | Gender: female
Wellbeing Before Policy: 5
Duration of Impact: 20.0 years
Commonness: 2/20
Statement of Opinion:
- I'm hopeful this policy will address our workforce shortage and improve training.
- Rural hospitals are often overlooked in such plans; I hope that's not the case here.
Wellbeing Over Time (With vs Without Policy)
| Year | With Policy | Without Policy |
|---|---|---|
| Year 1 | 6 | 5 |
| Year 2 | 7 | 5 |
| Year 3 | 7 | 5 |
| Year 5 | 7 | 5 |
| Year 10 | 7 | 5 |
| Year 20 | 8 | 4 |
Patient (San Francisco, CA)
Age: 29 | Gender: male
Wellbeing Before Policy: 8
Duration of Impact: 5.0 years
Commonness: 5/20
Statement of Opinion:
- I think this is essential as cybersecurity threats only seem to be increasing.
- I feel safer knowing there's more oversight and better training.
Wellbeing Over Time (With vs Without Policy)
| Year | With Policy | Without Policy |
|---|---|---|
| Year 1 | 8 | 8 |
| Year 2 | 8 | 7 |
| Year 3 | 8 | 7 |
| Year 5 | 8 | 7 |
| Year 10 | 8 | 6 |
| Year 20 | 8 | 6 |
Retired (Los Angeles, CA)
Age: 63 | Gender: male
Wellbeing Before Policy: 6
Duration of Impact: 10.0 years
Commonness: 6/20
Statement of Opinion:
- I don't fully understand what's involved with cybersecurity, but anything that protects my information is good.
- I hope it benefits all areas, especially where I get my healthcare.
Wellbeing Over Time (With vs Without Policy)
| Year | With Policy | Without Policy |
|---|---|---|
| Year 1 | 6 | 6 |
| Year 2 | 7 | 6 |
| Year 3 | 7 | 6 |
| Year 5 | 7 | 5 |
| Year 10 | 6 | 5 |
| Year 20 | 6 | 4 |
Healthcare Policy Analyst (Miami, FL)
Age: 39 | Gender: female
Wellbeing Before Policy: 7
Duration of Impact: 10.0 years
Commonness: 3/20
Statement of Opinion:
- This policy has the potential to do a lot of good, especially if it includes accountability measures.
- I'm interested in how it will address workforce shortages.
Wellbeing Over Time (With vs Without Policy)
| Year | With Policy | Without Policy |
|---|---|---|
| Year 1 | 8 | 7 |
| Year 2 | 8 | 7 |
| Year 3 | 8 | 7 |
| Year 5 | 8 | 6 |
| Year 10 | 7 | 5 |
| Year 20 | 7 | 5 |
Cybersecurity Expert (Houston, TX)
Age: 47 | Gender: female
Wellbeing Before Policy: 8
Duration of Impact: 20.0 years
Commonness: 2/20
Statement of Opinion:
- The collaboration with CISA should streamline security measures and make it easier to keep up with threats.
- However, execution will be key; otherwise, it might just be regulatory bloat.
Wellbeing Over Time (With vs Without Policy)
| Year | With Policy | Without Policy |
|---|---|---|
| Year 1 | 9 | 8 |
| Year 2 | 9 | 8 |
| Year 3 | 9 | 8 |
| Year 5 | 9 | 7 |
| Year 10 | 8 | 7 |
| Year 20 | 8 | 6 |
Nurse (Seattle, WA)
Age: 32 | Gender: other
Wellbeing Before Policy: 7
Duration of Impact: 15.0 years
Commonness: 4/20
Statement of Opinion:
- Policies like this are crucial as everything moves online.
- I'm concerned about practical training and resource allocation.
Wellbeing Over Time (With vs Without Policy)
| Year | With Policy | Without Policy |
|---|---|---|
| Year 1 | 8 | 7 |
| Year 2 | 8 | 7 |
| Year 3 | 7 | 6 |
| Year 5 | 7 | 6 |
| Year 10 | 7 | 6 |
| Year 20 | 7 | 6 |
Patient Advocate (Phoenix, AZ)
Age: 56 | Gender: male
Wellbeing Before Policy: 5
Duration of Impact: 20.0 years
Commonness: 3/20
Statement of Opinion:
- Patient data security is fundamental; this policy is a critical step forward.
- But, will it trickle down to all patients equally or just benefit larger hospitals?
Wellbeing Over Time (With vs Without Policy)
| Year | With Policy | Without Policy |
|---|---|---|
| Year 1 | 6 | 5 |
| Year 2 | 7 | 5 |
| Year 3 | 7 | 5 |
| Year 5 | 8 | 5 |
| Year 10 | 8 | 5 |
| Year 20 | 7 | 4 |
Insurance Analyst (Denver, CO)
Age: 38 | Gender: female
Wellbeing Before Policy: 6
Duration of Impact: 10.0 years
Commonness: 3/20
Statement of Opinion:
- Improved cybersecurity measures should reduce incidents of data breaches.
- This is positive for insurers, but we need clear foresight on costs and impacts.
Wellbeing Over Time (With vs Without Policy)
| Year | With Policy | Without Policy |
|---|---|---|
| Year 1 | 7 | 6 |
| Year 2 | 8 | 6 |
| Year 3 | 8 | 6 |
| Year 5 | 8 | 5 |
| Year 10 | 7 | 5 |
| Year 20 | 7 | 5 |
Cost Estimates
Year 1: $95000000 (Low: $85000000, High: $105000000)
Year 2: $95000000 (Low: $85000000, High: $105000000)
Year 3: $95000000 (Low: $85000000, High: $105000000)
Year 5: $95000000 (Low: $85000000, High: $105000000)
Year 10: $0 (Low: $0, High: $0)
Year 100: $0 (Low: $0, High: $0)
Key Considerations
- The need for a robust cybersecurity framework in healthcare has become critical due to increased cyber threats and data breaches.
- Collaboration with HHS ensures health-specific considerations are included in cybersecurity strategies.
- Funding allocations should be assessed in terms of scalability and potential advancement in cybersecurity technologies over time.
- The policy may necessitate additional action if the initial study uncovers significant cybersecurity weaknesses.
- The program should consider ongoing cybersecurity skill development as threats continue to evolve.