WANAN YOSSINGKUM/istock via Gett

Proposed bill calls for minimum healthcare cyber standards

The Health Infrastructure Security and Accountability Act would require HHS to establish minimum healthcare cyber standards and remove the cap on fines under HIPAA.

Senators Ron Wyden, (D-Ore.) and Mark Warner (D-Va.) introduced the Health Infrastructure Security and Accountability Act, with the goal of establishing minimum cyber standards in the healthcare sector. Specifically, the bill would require HHS to develop a set of minimum and enhanced cybersecurity standards for providers, health plans, clearinghouses and business associates to bolster security across the healthcare ecosystem.

Additionally, the bill would remove the current cap on fines under HIPAA, which the lawmakers say prevents HHS from issuing fines large enough to deter large corporations from sidestepping strong cybersecurity standards.

The bill articulated the industry's position following the Change Healthcare cyberattack, which left providers in a difficult financial position and exposed the risks of having single points of failure in the U.S. healthcare system.

"Megacorporations like UnitedHealth are flunking Cybersecurity 101, and American families are suffering as a result," Wyden said in an accompanying press release.

"The health care industry has some of the worst cybersecurity practices in the nation despite its critical importance to Americans' well-being and privacy. These commonsense reforms, which include jail time for CEOs that lie to the government about their cybersecurity, will set a course to beef up cybersecurity among health care companies across the nation and stem the tide of cyberattacks that threaten to cripple the American health care system."

The bill's provisions

The Health Infrastructure Security and Accountability Act addressed several topics that have been at the forefront of healthcare cybersecurity discussions and government guidance in recent years. Chiefly, the bill would require the HHS secretary to develop and adopt minimum and enhanced security requirements within two years.

The minimum requirements would apply to healthcare entities across the U.S., and the enhanced security requirements would apply to "covered entities that are of systemic importance or important to national security."

The HHS secretary would be required to revisit and update these standards every two years.

In January 2024, HHS released sector-specific cybersecurity performance goals that consisted of essential and enhanced goals, with the intent of helping the sector improve its security. At the time, experts suggested that these would become the basis for future legislation that would set these minimum standards into law.

In addition to establishing minimum and enhanced standards, the bill would require covered entities and business associates to submit annual independent security audits and stress tests to determine their ability to restore service after a cybersecurity incident.

Furthermore, the bill would require HHS to audit the data security practices of at least 20 regulated entities annually and eliminate statutory caps on HHS fines so that larger fines can be issued.

The bill would also heighten corporate accountability by requiring executives to annually certify compliance with these standards. If passed, the bill would also give the HHS secretary the authority to provide advanced and accelerated Medicare payments in case of a disruption to the U.S. healthcare system, as was necessary during the Change Healthcare cyberattack.

Lastly, the bill would allocate $800 million in upfront investment payments to rural and urban safety-net hospitals and an additional $500 million to all hospitals to adopt the enhanced cybersecurity standards.

Lawmakers speak to bill's importance

Both Warner and Wyden have been outspoken about the need for increased healthcare cybersecurity standards. Warner released a policy options paper in November 2022 that aimed to address the current cybersecurity threats facing the sector.

In the aftermath of the Change Healthcare cyberattack, Wyden called on the Federal Trade Commission and the Securities and Exchange Commission to investigate UnitedHealth Group to determine whether federal laws were broken.

"Cyberattacks on our health care institutions threaten patients' most private data and delay essential medical care, directly endangering Americans' lives and long-term health," Warner said. "With hacks already targeting institutions across the country, it's time to go beyond voluntary standards and ensure health care providers and vendors get serious about cybersecurity and patient safety."

Andrea Palm, deputy secretary of HHS, added in the press release that more must be done to prevent healthcare cyberattacks.

"Clear accountability measures and mandatory cybersecurity requirements for all organizations that hold sensitive data are essential."

If passed, the Health Infrastructure Security and Accountability Act would set clearer cybersecurity standards for the healthcare sector while holding large healthcare entities accountable for security failures.

Jill McKeon has covered healthcare cybersecurity and privacy news since 2021.

Dig Deeper on HIPAA compliance and regulation