HISAA: A proposed overhaul to healthcare cybersecurity

A proposed bipartisan bill, HISAA, tries to enforce mandatory cybersecurity standards in healthcare, replacing HIPAA’s voluntary safeguards to better protect patient data.

What happened

In response to growing cybersecurity threats in healthcare, Senators Ron Wyden (D-OR) and Mark Warner (R-VA) introduced the Health Infrastructure Security and Accountability Act (HISAA) on September 26, 2024. The proposed legislation establishes mandatory cybersecurity standards for healthcare organizations, replacing the current patchwork of voluntary safeguards under HIPAA and HITECH. HISAA also includes provisions for funding compliance efforts, particularly for smaller and rural hospitals.

Going deeper

HIPAA and HITECH require healthcare organizations to implement reasonable security safeguards but do not mandate specific minimum standards. The flexibility has led to inconsistent security measures across the industry, leaving systems vulnerable. The urgency for stronger protections became clear following the widespread ransomware attack on Change Healthcare, a subsidiary of UnitedHealth Group, which disrupted healthcare operations nationwide.

In the know

HISAA seeks to close these gaps by introducing:

• Mandatory cybersecurity standards are overseen by the Department of Health and Human Services (HHS), the Cybersecurity and Infrastructure Security Agency (CISA), and the Director of National Intelligence (DNI), with updates every two years.
• Annual independent cybersecurity audits and stress tests to assess compliance and response capabilities. Organizations must publicly disclose their security status, with potential waivers for smaller providers.
• Stricter accountability measures, including executive certifications of compliance. False reporting could lead to criminal penalties of up to $1 million in fines and 10 years in prison.
• $1.3 billion in financial support, with $800 million allocated to rural and safety-net hospitals in the first two years.
• Medicare payment adjustments to help organizations recover from cybersecurity incidents.

What was said

Supporters of HISAA argue that the bill is necessary to modernize healthcare cybersecurity, especially given the changing nature of cyber threats. Critics caution that while increased oversight is needed, compliance could pose financial and operational challenges for smaller healthcare organizations.

The legislation was introduced late in the 2024 congressional session, making its immediate passage uncertain. However, cybersecurity experts and policymakers anticipate further action in 2025 as the new administration takes office.

The big picture

HISAA marks a turning point in healthcare cybersecurity, shifting from loose guidelines to strict, enforceable standards. With cyberattacks on hospitals growing more frequent, the bill signals that protecting patient data is now a national security issue, not just a compliance checkbox. Tying cybersecurity to financial support and legal accountability forces healthcare organizations of all sizes to take real action.

FAQs

What is HISAA?

HISAA (Health Infrastructure Security and Accountability Act) is a proposed bill that mandates stricter cybersecurity standards for healthcare organizations, replacing the voluntary safeguards under HIPAA and HITECH.

How will HISAA impact healthcare organizations?

Organizations will need to meet federally mandated cybersecurity standards, undergo annual security audits, and publicly disclose their cybersecurity status. Non-compliance could result in fines or criminal penalties.

What support does HISAA provide for compliance?

HISAA includes $1.3 billion in funding, with $800 million allocated to rural and safety-net hospitals to help cover cybersecurity improvements.

What happens next with HISAA?

Introduced late in 2024, the bill’s passage remains uncertain. However, cybersecurity experts anticipate further legislative action in 2025 under the new administration.