New bill seeks to mandate healthcare cybersecurity standards
The proposed legislation, which has the backing of the Department of Health and Human Services, would require the health agency to set and enforce cybersecurity standards for healthcare providers, clearinghouses and other industry players.
A measure introduced Thursday would direct the Department of Health and Human Services to craft a new set of minimum cybersecurity standards for the healthcare sector and require the agency to conduct yearly audits of health entities overseen by those new rules.
The Health Infrastructure Security and Accountability Act — led by Sens. Ron Wyden, D-Ore. And Mark Warner, D-Va. — amends the Health Insurance Portability and Accountability Act requirements and directs HHS to build new “mandatory minimum cybersecurity standards for health care providers, health plans, clearinghouses and business associates” with a special focus on healthcare operations important to national security.
The bill comes in the wake of a crippling ransomware attack on UnitedHealth’s Change Healthcare unit in February, which likely affected a third of all Americans and created several healthcare processing challenges that continued into the early summer, including delayed prescription fillings and cash crunches at rural clinics and hospitals.
The hackers used stolen credentials and broke into a Change Healthcare server that was not protected by multifactor authentication, a method that double checks whether a user is fraudulently impersonating someone else when logging into a platform.
The measure mandates annual cybersecurity audits and stress tests for healthcare entities, with waivers for small providers, and requires HHS to audit key entities each year. It also would remove fine caps for large corporations, fund HHS oversight through user fees and allocate $1.3 billion to hospitals for cybersecurity improvements.
The HHS secretary’s ability to accelerate Medicare payments during cyber disruptions would also be codified. The Change hack had massive cascading effects in what was arguably the largest cyberattack on the U.S. healthcare industry to date. Between March 26 and April 3, 80% of physician practices lost revenue from unpaid claims, while 55% of respondents said they needed to use personal funds to cover expenses, according to an American Medical Association survey.
In extreme cases, should security documentation be willingly filed with false information, healthcare executives can face jail time.
“With hacks already targeting institutions across the country, it’s time to go beyond voluntary standards and ensure health care providers and vendors get serious about cybersecurity and patient safety,” Warner said.
“Megacorporations like UnitedHealth are flunking Cybersecurity 101, and American families are suffering as a result,” said Wyden.
While the agency already has some existing cyber authorities under HIPAA, the proposed law would help give it power to inventory important healthcare entities. The Cybersecurity and Infrastructure Security Agency and the Director of National Intelligence would also lean in on crafting the standards, according to the bill’s text.
CISA notably has established its own set of systemically important entities — organizations whose infrastructure is so important that if it were disrupted, it could impact national security, economic security or public health and safety — though that list is not made publicly available for security reasons.
HHS backs the new legislation. “Clear accountability measures and mandatory cybersecurity requirements for all organizations that hold sensitive data are essential,” Deputy Secretary Andrea Palm said in a statement.
HHS has previously announced steps to enhance cybersecurity standards in existing programs. That includes potentially leveraging the major payer programs at HHS as well as authorities under HIPAA to enforce compliance.
Healthcare infrastructure is a treasure trove for hackers because it often contains digital repositories of sensitive patient information that, if pilfered, can be sold to other criminal cyber operatives for use in extortion or fraud schemes. A February intelligence community analysis says cyberattacks against the healthcare sector skyrocketed 128% in 2023, with 258 known victims that year versus 113 in 2022.