In response to the growing threat of cyberattacks on the healthcare sector, two Democratic senators have proposed a new bill to strengthen cybersecurity measures across the industry. Senators Ron Wyden (D-Ore.) and Mark Warner (D-Va.) introduced the Health Infrastructure Security and Accountability Act, which not only enforces stricter security requirements but also holds top executives accountable for falsely attesting to their organization’s compliance in security audits.
The bill sets out to address cybersecurity gaps in healthcare, highlighted by high-profile cyber incidents, such as the February attack on Change Healthcare that caused widespread disruptions. The proposed legislation is notable for its wide scope, which mandates security enhancements and introduces severe penalties for non-compliance, including financial penalties and potential prison time for top executives.
The Health Infrastructure Security and Accountability Act introduces the following key provisions:
Senator Warner emphasized the urgency of going beyond voluntary standards and ensuring healthcare organizations take cybersecurity seriously. “With hacks already targeting institutions across the country, it’s time to go beyond voluntary standards and ensure healthcare providers and vendors get serious about cybersecurity and patient safety,” Warner said in a statement.
The bill also recognizes the financial burden that smaller healthcare providers may face in implementing new security standards. To mitigate this, it provides $800 million over two years to help rural and urban safety-net hospitals adopt essential cybersecurity standards. Additionally, $500 million is set aside to incentivize all hospitals to implement enhanced security practices. Failure to comply with these standards could result in Medicare payment penalties.
Despite the bill’s ambitious goals, experts remain skeptical about its chances of passing. The lack of a Republican co-sponsor and the current political climate could hinder its progression through Congress. Todd Weber, vice president of professional services at security firm Semperis, expressed doubt that the bill would move forward, given the political and geopolitical issues facing its sponsors.
However, the bill’s introduction continues to shine a spotlight on healthcare cybersecurity, an issue that has only grown more urgent as cyberattacks against healthcare organizations become increasingly sophisticated and disruptive.
The proposed legislation coincides with ongoing efforts by the U.S. Department of Health and Human Services to modify the HIPAA Security Rule. HHS is expected to announce new rules by the end of the year to strengthen the cybersecurity of electronic protected health information (ePHI). These rules could include mandatory cybersecurity performance goals for hospitals, with financial incentives tied to Medicare payments.
Experts agree that healthcare organizations must prioritize cybersecurity as a critical aspect of patient safety and operational resilience. “You either pay to do security upfront, or you pay after the event to fix it,” said David Finn, executive vice president of governance, risk, and compliance at First Health Advisory. The long-term cost of a cyberattack often far exceeds the investment needed to prevent one.
As the healthcare sector struggles with these risks, legislation like the Wyden-Warner bill stresses the importance of robust cybersecurity practices and increased corporate accountability in safeguarding patient data and the nation’s health infrastructure.
Cybersecurity is critical in healthcare because hospitals and healthcare providers store vast amounts of sensitive patient data, including medical records and personal information. A cyberattack could not only compromise this data but also disrupt patient care, impact medical devices, and even threaten patient safety.
Learn more: Why is healthcare so prone to cyberattacks?
The biggest challenges include a lack of resources and funding, outdated technology, the complexity of healthcare systems, and insufficient awareness or training on cybersecurity practices. Smaller healthcare providers, in particular, may struggle to implement robust cybersecurity measures due to limited budgets.
Healthcare organizations can adopt several best practices to improve cybersecurity, including: