In response to the growing threat of cyberattacks on the healthcare sector, two Democratic senators have proposed a new bill to strengthen cybersecurity measures across the industry. Senators Ron Wyden (D-Ore.) and Mark Warner (D-Va.) introduced the Health Infrastructure Security and Accountability Act, which not only enforces stricter security requirements but also holds top executives accountable for falsely attesting to their organization’s compliance in security audits.
Key provisions of the Health Infrastructure Security and Accountability Act
The bill sets out to address cybersecurity gaps in healthcare, highlighted by high-profile cyber incidents, such as the February attack on Change Healthcare that caused widespread disruptions. The proposed legislation is notable for its wide scope, which mandates security enhancements and introduces severe penalties for non-compliance, including financial penalties and potential prison time for top executives.
The Health Infrastructure Security and Accountability Act introduces the following key provisions:
- Enhanced security requirements: The bill requires the Department of Health and Human Services (HHS) to adopt enhanced minimum security standards within two years. These standards will apply to all healthcare organizations and business associates, with heightened requirements for entities deemed "systemically important" to national security.
- Mandatory audits: HHS is required to audit the cybersecurity practices of at least 20 healthcare organizations and business associates annually. The audits will consider whether an entity is of systemic importance, its history of data security violations, and any complaints made against it.
- Civil and criminal penalties: Fines for non-compliance will range from $500 to $250,000, depending on the severity of the violation. Executives who knowingly submit false information in compliance audits could face fines up to $1 million and up to 10 years in prison.
- Executive accountability: Borrowing from the Sarbanes-Oxley Act’s model for financial disclosures, the bill requires top executives to certify their organization's cybersecurity compliance. Lying to the government about cybersecurity could result in severe consequences, including imprisonment.
Impact on healthcare cybersecurity
Senator Warner emphasized the urgency of going beyond voluntary standards and ensuring healthcare organizations take cybersecurity seriously. “With hacks already targeting institutions across the country, it’s time to go beyond voluntary standards and ensure healthcare providers and vendors get serious about cybersecurity and patient safety,” Warner said in a statement.
The bill also recognizes the financial burden that smaller healthcare providers may face in implementing new security standards. To mitigate this, it provides $800 million over two years to help rural and urban safety-net hospitals adopt essential cybersecurity standards. Additionally, $500 million is set aside to incentivize all hospitals to implement enhanced security practices. Failure to comply with these standards could result in Medicare payment penalties.
Challenges in passing the bill
Despite the bill’s ambitious goals, experts remain skeptical about its chances of passing. The lack of a Republican co-sponsor and the current political climate could hinder its progression through Congress. Todd Weber, vice president of professional services at security firm Semperis, expressed doubt that the bill would move forward, given the political and geopolitical issues facing its sponsors.
However, the bill’s introduction continues to shine a spotlight on healthcare cybersecurity, an issue that has only grown more urgent as cyberattacks against healthcare organizations become increasingly sophisticated and disruptive.
A broader regulatory push for healthcare cybersecurity
The proposed legislation coincides with ongoing efforts by the U.S. Department of Health and Human Services to modify the HIPAA Security Rule. HHS is expected to announce new rules by the end of the year to strengthen the cybersecurity of electronic protected health information (ePHI). These rules could include mandatory cybersecurity performance goals for hospitals, with financial incentives tied to Medicare payments.
Experts agree that healthcare organizations must prioritize cybersecurity as a critical aspect of patient safety and operational resilience. “You either pay to do security upfront, or you pay after the event to fix it,” said David Finn, executive vice president of governance, risk, and compliance at First Health Advisory. The long-term cost of a cyberattack often far exceeds the investment needed to prevent one.
As the healthcare sector struggles with these risks, legislation like the Wyden-Warner bill stresses the importance of robust cybersecurity practices and increased corporate accountability in safeguarding patient data and the nation’s health infrastructure.
FAQs
Why is cybersecurity so important in healthcare?
Cybersecurity is critical in healthcare because hospitals and healthcare providers store vast amounts of sensitive patient data, including medical records and personal information. A cyberattack could not only compromise this data but also disrupt patient care, impact medical devices, and even threaten patient safety.
Learn more: Why is healthcare so prone to cyberattacks?
What are the biggest challenges to improving cybersecurity in healthcare?
The biggest challenges include a lack of resources and funding, outdated technology, the complexity of healthcare systems, and insufficient awareness or training on cybersecurity practices. Smaller healthcare providers, in particular, may struggle to implement robust cybersecurity measures due to limited budgets.
What can healthcare organizations do to improve cybersecurity?
Healthcare organizations can adopt several best practices to improve cybersecurity, including:
- Conducting regular security risk assessments.
- Implementing strong password policies and multi-factor authentication.
- Providing ongoing cybersecurity training for staff.
- Encrypting sensitive data.
- Keeping software and systems up to date.
- Developing an incident response plan for handling cyberattacks.
Tshedimoso Makhene
