Senators Propose New Legislation for Improving Healthcare Cybersecurity and Accountability

Senators Ron Wyden (D-OR). and Mark Warner (D-VA) have proposed new legislation to improve healthcare cybersecurity. The bill calls for mandatory minimum cybersecurity standards for all HIPAA-regulated entities and greater accountability for healthcare organizations that fail to meet the minimum standards, including jail time for executives.
The HIPAA Security Rule sets minimum standards for cybersecurity for HIPAA-covered entities (healthcare providers, health plans, and healthcare clearinghouses) and business associates of those entities; however, it was signed into law two decades ago and has not received an update since 2013. The Department of Health and Human Services (HHS) is trying to improve cybersecurity across the healthcare industry and has developed cybersecurity performance goals for HIPAA-regulated entities that include specific cybersecurity measures, but even the โessentialโ cybersecurity performance goals are only voluntary.
Healthcare data breaches are being reported at an alarming rate. According to the senators, 725 healthcare data breaches were reported to the HHSโ Office for Civil Rights (OCR) in 2023, and the protected health information of more than 120 million Americans was exposed or stolen in those incidents. The healthcare industry is the #1 target for ransomware groups, and this year has seen what is expected to be the largest-ever healthcare data breach and certainly the most disruptive healthcare cyberattack in history, having affected healthcare providers across the United States for months.
It was the Change Healthcare cyberattack that pushed the senators into proposing the new legislation. UnitedHealth Group, the parent company of Change Healthcare, is a truly massive healthcare organization and the worldโs 11th-largest company by revenue. Change Healthcareโs clearinghouse network includes 6,000 hospitals, one million physicians, and 2,400 payer connections, its systems touch the health data of 1 in 3 Americans, and the company completes more than 15 billion healthcare transactions a year.
The ransomware attack in February 2024 forced Change Healthcare to shut down its systems, many of which remained offline for months. The lack of access to those systems meant healthcare providers across the country could not bill or be paid for their services, with many pushed to the brink due to a lack of funding. The ransomware attack was made possible due to the lack of multifactor authentication on a public-facing server. โAs Sen. Wyden explained, โMegacorporations like UnitedHealth are flunking Cybersecurity 101, and American families are suffering as a result.โ
The bill, the Health Infrastructure Security and Accountability Act (HISAA), would set minimum cybersecurity standards for healthcare organizations and improve accountability for companies that fail to meet cybersecurity standards. โThe healthcare industry has some of the worst cybersecurity practices in the nation despite its critical importance to Americansโ well-being and privacy,โ said Sen. Wyden. โThese common sense reforms, which include jail time for CEOs that lie to the government about their cybersecurity, will set a course to beef up cybersecurity among health care companies across the nation and stem the tide of cyberattacks that threaten to cripple the American healthcare system.โ
The HITECH Act requires the HHSโ Office for Civil Rights to conduct audits of HIPAA-regulated entities to assess compliance with the HIPAA Rules; however, due to funding problems, no audits have been conducted since 2017. HISAA requires the HHS to conduct at least 20 audits a year, focusing on organizations of systemic importance. To address the funding shortfall, the bill proposes $1.3 billion for the HHS to support hospitals and create serious accountability for companies that fail to meet cybersecurity standards.
In addition to mandatory cybersecurity standards, healthcare organizations would be required to submit to annual independent cybersecurity audits and conduct stress tests to determine if they are able to restore services promptly in the event of a cyberattack.ย Similar to the requirements of the Sarbanes-Oxley Act, HISAA requires executives of healthcare organizations to annually sign off confirmations that they are fully compliant with the cybersecurity requirements of HISAA.
Many healthcare providers simply do not have the necessary funds to make significant improvements to cybersecurity, especially rural and urban safety net hospitals. HISAA calls for $800 million to be made available to cover up-front investments in cybersecurity at those hospitals and $500 million for all hospitals to help them adopt enhanced cybersecurity standards. Currently, the financial penalties for HIPAA violations are relatively low and are capped. The bill proposes a removal of those penalty caps to ensure that penalties can be imposed on mega-corporations that are large enough to deter lax cybersecurity. The increased security oversight and enforcement work of the HHS would be funded through a user fee on all regulated entities.
What is clear is something needs to be done to improve healthcare cybersecurity, reduce the number of cyberattacks and data breaches, and make it harder for another cyberattack of the magnitude of the Change Healthcare ransomware attack to occur again. Whether this bill can gather enough support to be passed into law remains to be seen, but it should at least serve as a starting point for discussions about what can be done to improve healthcare cybersecurity in the United States.