The healthcare industry has seen an increasing number of cyberattacks in recent years, and time is running out for Congress to renew legislation that experts say is key to detecting threats before an attack takes place.
Deemed the Cybersecurity Information Sharing Act of 2015, or CISA, the legislation makes it possible for organizations that scan for cyber threats to share information about potential bad actors before a cyberattack occurs and without potential legal liability. But the act is set to expire on Sept. 30, and experts told Healthcare Brew that without it, the healthcare system would be more vulnerable.
“When information is not shared, it gives an upper hand to the attackers because they go undetected,” Mike Nelson, VP of digital trust at cybersecurity firm DigiCert, said. “The unfortunate result is that, as less information is shared, attacks will certainly go up.”
The benefits of CISA
Before the legislation was passed, if an organization detected a threat for a potential cyberattack, it might have been hesitant to share that information for fear of legal liability, according to George Pappas, CEO of healthcare cybersecurity compliance company Intraprise Health.
“You’re really asking parties to share [information] before they have a solution,” he said.
What CISA did was remove that liability component so organizations were protected when sharing information about potential bad actors.
“Information sharing around cybersecurity is a critical aspect of protection,” Nelson said. “For example, if one hospital gets hit from ransomware, they can rapidly share how they were attacked, the details of that attack, and it can arm the rest of the industry to say, ‘Hey, we can now prevent that.’”
What could happen without CISA
If CISA is allowed to lapse at the end of September, hospitals and healthcare organizations at large will likely see more successful cyberattacks “because organizations would be less prepared to respond to those attacks,” Jon Moore, chief risk officer and SVP of consulting services at healthcare cybersecurity company Clearwater Security, said.
Navigate the healthcare industry
Healthcare Brew covers pharmaceutical developments, health startups, the latest tech, and how it impacts hospitals and providers to keep administrators and providers informed.
Cyberattacks are already a huge problem in healthcare. The industry had the most cyber threats last year among all critical infrastructure industries, according to the FBI’s 2024 Internet Crime Report, which listed a total of 444 ransomware and data breach incidents in healthcare. The same year, the Change Healthcare cyberattack affected over half the US population.
Without CISA, organizations will likely return to sharing less information on potential cyber threats because their legal teams will advise caution without the protections the act offers, Nelson said.
What comes next
Two senators—Mike Rounds, a Republican from South Dakota, and Gary Peters, a Democrat from Michigan—introduced a bill in April to extend CISA by another 10 years.
In a press release announcing the bill, Rounds said allowing CISA to lapse could “significantly weaken” cybersecurity ecosystems, “removing vital liability protections and hampering defensive operations across both the defense industrial base and critical infrastructure sectors.”
No progress has been made on advancing the bill, but Federal News Network reported on Aug. 19 the House Homeland Security Committee confirmed plans to mark up the bill when Congress comes back from its August recess.
Since CISA was passed, the healthcare industry has seen “tremendous improvement” in keeping organizations protected from cyber threats, Nelson said, adding, “I just hope that progress continues.”