Senate Bill proposes stricter cybersecurity mandates for healthcare

Senators Ron Wyden and Mark Warner have introduced a new bill intended to enhance cybersecurity within the healthcare industry. The proposed legislation seeks to enforce more stringent security measures, increase HIPAA enforcement penalties, and impose accountability on top executives by introducing potential fines and prison sentences for false compliance declarations.

What happened 

A new bill, known as the Health Infrastructure Security and Accountability Act, has been introduced by two Democrat senators—Senate Finance Committee Chair Ron Wyden (D-Ore.) and Sen. Mark Warner (D-Va.). The legislation seeks to impose stricter cybersecurity measures on the healthcare sector, including lifting the cap on HIPAA enforcement fines and holding top executives accountable through financial penalties or even prison time for falsely certifying security compliance during audits.

The bill comes in the wake of increasing cyberattacks targeting healthcare, most notably the recent attack on Change Healthcare in February. It aims to address gaps in healthcare cybersecurity by mandating stricter security measures and annual audits while offering funding to assist hospitals in meeting these new requirements.

See also: HIPAA Compliant Email: The Definitive Guide

Going deeper

The Wyden-Warner bill introduces a comprehensive approach to healthcare cybersecurity. Unlike other bipartisan efforts, this bill has not yet gained Republican co-sponsors. The legislation proposes mandatory security audits for healthcare entities and business associates, particularly those deemed “of systemic importance” or crucial to national security. Failure to comply with these mandates would result in penalties, including fines of up to $5,000 per day.

Another key element is the requirement for top executives to certify their organizations' compliance with these new cybersecurity standards, adding a layer of accountability. Executives could face fines as high as $1 million or up to 10 years in prison if found guilty of submitting false compliance reports.

What was said

Sen. Warner emphasized the importance of strengthening healthcare cybersecurity in light of increasing attacks, stating, "With hacks already targeting institutions across the country, it’s time to go beyond voluntary standards and ensure healthcare providers and vendors get serious about cybersecurity and patient safety."

Sen. Wyden shared the same sentiments, demonstrating the industry's vulnerability: "The healthcare industry has some of the worst cybersecurity practices in the nation despite its critical importance to Americans’ well-being and privacy. These commonsense reforms, which include jail time for CEOs that lie to the government about their cybersecurity, will set a course to beef up cybersecurity among healthcare companies across the nation."

Toby Gouker, Chief Security Officer at First Health Advisory, believes the bill will elevate cybersecurity discussions across the board: "I think that this proposal in the bill will guarantee that cybersecurity is a standing agenda item on all board of directors meetings."

In the know 

The healthcare sector has become increasingly vulnerable to cyberattacks, which threaten financial stability, patient safety, and patient privacy. Recent incidents like the Change Healthcare breach have underscored the need for stronger cybersecurity measures. 

Read also: Top 10 healthcare data breaches so far in 2024

Why it matters 

The Health Infrastructure Security and Accountability Act represents a shift in how the government seeks to tackle cybersecurity vulnerabilities in the healthcare sector. With financial penalties, prison time for top executives, and mandatory security audits, the bill is poised to bring much-needed reform to an industry increasingly in the crosshairs of cybercriminals. 

Learn more: Tips for cybersecurity in healthcare

FAQs

What is the role of healthcare executives in cybersecurity?

Healthcare executives, such as CEOs and CIOs, oversee implementation and management of cybersecurity strategies in their organizations. They ensure that appropriate security measures are in place and that the organization complies with legal and regulatory standards.

What are common cyber threats in healthcare?

Common cyber threats include ransomware attacks, data breaches, phishing attacks, insider threats, and system vulnerabilities. Cybercriminals often target healthcare organizations because of the high value of patient data and the critical nature of healthcare services.

Go deeper: Cyberattacks on the healthcare sector

How can healthcare organizations protect themselves from cyberattacks?

Healthcare organizations can protect themselves by implementing robust cybersecurity measures such as encrypting patient data, conducting regular audits and risk assessments, training staff in cybersecurity awareness, using multi-factor authentication, and maintaining up-to-date security software and systems.