Senate Finance Committee Chair Ron Wyden, D-Oregon, and Senator Mark Warner, D-Virginia, have teamed up to announce legislation of “commonsense reforms” that aim to stem the wave of increased cyberattacks breaching Americans’ privacy and causing major disruptions to care nationwide.
The Health Infrastructure Security and Accountability Act would not only mandate cybersecurity protocols but also increase funding to rural and underserved hospitals to meet new cybersecurity standards, Warner said in a statement Thursday.
WHY IT MATTERS
If made law, the proposed reforms in the bill would result in enhanced auditing of healthcare organizations. They’d also pay higher user fees for the new regulatory services.
Warner, who has been focused on improving the sector’s cybersecurity posture and has urged U.S. Health and Human Services to end voluntary cybersecurity requirements and released a 2022 policy paper calling for a healthcare cybersecurity czar, said in a statement that he believes voluntary standards lack the teeth needed to protect patients’ most private data and care continuity.
The lawmakers made it clear that they believe some of the largest healthcare organizations are “ignoring cybersecurity standards.”
“Megacorporations like UnitedHealth are flunking Cybersecurity 101, and American families are suffering as a result,” Wyden said in the statement.
“The healthcare industry has some of the worst cybersecurity practices in the nation despite its critical importance to Americans’ well-being and privacy.”
The Health Infrastructure Security and Accountability Act, according to a fact sheet on the proposed legislation, calls for “enhanced standards” that apply to “systemically important” entities and modernizing HIPAA mandatory minimum cybersecurity standards for healthcare providers, health plans clearinghouses and business associates.
The bill would also require covered entities and business associates to submit annual independent cybersecurity audits and other measures that ensure they can restore services promptly after an incident – “which HHS can waive for small providers.”
Top executives would have to certify compliance with the requirements each year, and HHS would have to “proactively audit the data security practices of at least 20 regulated entities each year.”
The bill also proposes to eliminate the statutory caps on HHS’ fining authority so mega-corporations, like United Health Group, “face large enough fines to deter lax cybersecurity.”
While the additional security oversight and enforcement would be paid for by user fees on all regulated entities, the legislative proposal also provides $800 million for enhanced cybersecurity standards payments at rural and urban safety net hospitals and $500 million for all hospitals.
“With hacks already targeting institutions across the country, it’s time to go beyond voluntary standards and ensure healthcare providers and vendors get serious about cybersecurity and patient safety,” Warner said.
THE LARGER TREND
Warner and Wyden’s announcement noted that after the Senate Finance Committee held a hearing in May with UnitedHealth Group CEO Andrew Witty about the February cyberattack against Change Healthcare, a subsidiary of UHG, Wyden called on the Biden administration to investigate the mega-corporation and hold it accountable for its “lax cybersecurity.”
Witty pledged to rebuild the afflicted healthcare payments clearinghouse with cloud-based security. Change also did not have multi-factor authentication in place, which left the organization vulnerable to the cyberattack.
In a strategy paper released in December, HHS also called for new cybersecurity requirements for hospitals and outlined voluntary healthcare-specific cybersecurity performance goals.
“Funding and voluntary goals alone will not drive the cyber-related behavioral change needed across the healthcare sector,” the agency said in an announcement at the time.
Meanwhile, the American Hospital Association pushed back on suggested strategies that it said penalized hospitals for cyberattacks.
“No organization, including federal agencies, is or can be immune from cyberattacks,” Rick Pollack, AHA’s president and CEO, had told Healthcare IT News.
“Imposing fines or cutting Medicare payments would diminish hospital resources needed to combat cybercrime and would be counterproductive to our shared goal of preventing cyberattacks.”
Case in point: The Centers for Medicare and Medicaid Services recently mailed written data breach notifications to 946,801 people when it was snared along with a multitude of companies across sectors worldwide when a vulnerability in a third-party application used for file transfer was discovered earlier this year.
CMS said in the letter that protected health information or other personally identifiable information may have been compromised in a cyber breach related to MOVEit software.
ON THE RECORD
“Cybersecurity remains an ever-evolving challenge in our healthcare ecosystem and more must be done to prevent cyber attacks and ensure patient safety,” Andrea Palm, deputy secretary of HHS, said in a statement. “Clear accountability measures and mandatory cybersecurity requirements for all organizations that hold sensitive data are essential.”
Andrea Fox is senior editor of Healthcare IT News.
Email: afox@himss.org
Healthcare IT News is a HIMSS Media publication.
The HIMSS Healthcare Cybersecurity Forum is scheduled to take place October 31-November 1 in Washington, D.C. Learn more and register.