Amid a surge in healthcare data breaches, US Senators Ron Wyden and Mark Warner have introduced the Health Infrastructure Security and Accountability Act. The bill enforces mandatory cybersecurity standards, with $1.3 billion allocated to help healthcare providers upgrade their cybersecurity measures.
What happened
With over 43 million individuals affected by healthcare data breaches in 2024, Senators Wyden and Warner introduced the Health Infrastructure Security and Accountability Act. The legislation mandates that covered entities comply with strict cybersecurity standards or face steep penalties. It is the most significant proposed amendment to the Health Insurance Portability and Accountability Act (HIPAA) cybersecurity provisions since 2013.
More specifically, the bill proposes $1.3 billion to support cybersecurity upgrades, with $800 million reserved for rural and underserved hospitals. An additional $500 million would help all hospitals improve their defenses. The bill also removes caps on fines for large corporations and introduces mandatory third-party audits, stress testing, and executive certifications of compliance to protect healthcare systems.
By the numbers
- 43 million individuals affected by healthcare data breaches in 2024.
- 21% increase in healthcare breaches compared to the previous year.
- $1.3 billion total funding proposed to help hospitals meet cybersecurity standards.
- $800 million was allocated for rural and underserved hospitals.
- $500 million designated for general cybersecurity improvements across over 6,000 hospitals.
- 700,000 HIPAA-covered entities must comply with the new cybersecurity standards.
- 4 tiers of civil monetary penalties, ranging from $500 to $250,000, based on the severity of non-compliance.
- 3 years for organizations to perform mandatory security risk analysis, including stress tests, disaster recovery plans, and certification by senior executives.
Why it matters
The proposed Health Infrastructure Security and Accountability Act brings $1.3 billion in financial support to strengthen healthcare cybersecurity and introduces mandatory standards to protect patient data. The bill will reduce the likelihood of cyberattacks with steep penalties, executive accountability, and mandatory audits.
The bottom line
As healthcare-related cyberattacks evolve, providers must use secure communication methods, like HIPAA compliant email, along with the Act’s provisions, to safeguard health information and maintain national security.
Related: HIPAA Compliant Email: The Definitive Guide
FAQs
What is HIPAA?
The Health Insurance Portability and Accountability Act (HIPAA) is a federal law that establishes national standards for safeguarding protected health information (PHI). HIPAA mandates that healthcare providers, insurers, and business associates safeguard patients’ PHI during transit and at rest.
What types of information are protected under HIPAA?
HIPAA protects all individually identifiable health information held or transmitted by covered entities or their business associates, including mental health records.
What is a data breach?
A breach occurs when an unauthorized party gains access, uses or discloses protected health information (PHI) without permission. Breaches include hacking, losing a device containing PHI, or sharing information with unauthorized individuals.
