Democratic Senators Propose Mandatory Cybersecurity Standards in Healthcare and Greater Accountability
Two Democratic senators have announced new legislation to update XI and XVIII of the Social Security Act to strengthen, increase oversight of, and compliance with security standards for health information. The proposed legislation will address healthcare infrastructure cybersecurity and ensure that serious financial penalties are imposed for compliance failures.
The legislation – The Health Infrastructure Security and Accountability Act – was introduced by Senate Finance Committee Chair Ron Wyden (D-OR) and Senator Mark Warner (D-VA) and seeks to introduce minimum standards for cybersecurity to make it harder for cybercriminals to breach healthcare networks.
Currently, the HHS’ Office for Civil Rights Breach Portal shows 394 large data breaches have been reported in 2024 that are attributed to hacking/IT incidents, and those breaches have affected more than 43 million individuals. In 2023, 602 data breaches were reported as hacking/IT incidents involving the healthcare records of more than 151 million individuals.
These cyberattacks have delayed and disrupted patient care, harmed patient health and national security, resulted in the theft of Americans’ sensitive data, and put Americans at risk of identity theft and fraud. “These hacks are entirely preventable and are the direct result of lax cybersecurity practices by health care providers and their business partners,” wrote the Senators.
Get The FREE
HIPAA Compliance Checklist
Immediate Delivery of Checklist Link To Your Email Address
Please Enter Correct Email Address
Your Privacy Respected
HIPAA Journal Privacy Policy
The Senators also explained that there is insufficient enforcement of current cybersecurity requirements and a lack of essential updates to HIPAA. “HHS has not been appropriately funded to be an effective cop on the beat — it has not conducted a cybersecurity audit since 2017, and has not issued updated regulations under the HIPAA Security Rule since 2013.”
The HHS’ Office for Civil Rights announced cybersecurity performance goals in January, which are sets of high-impact measures that can be implemented to improve cybersecurity. Those goals, which include basic cybersecurity measures such as multifactor authentication, email security, basic cybersecurity training, and mitigating known vulnerabilities, are only voluntary.
“With hacks already targeting institutions across the country, it’s time to go beyond voluntary standards and ensure health care providers and vendors get serious about cybersecurity and patient safety. I’m glad to introduce legislation that would mandate sensible cybersecurity protocols while also getting resources to rural and underserved hospitals to ensure they have the funding to meet these new standards,” said Sen. Warner.
The Change Healthcare ransomware attack in February demonstrated the devastating impact a single cyberattack can have on patients and providers across the country, and how something as fundamental to cybersecurity as having multifactor authentication on all accounts can be skipped by a company with profits larger than the GDP of a small country.
“Megacorporations like UnitedHealth are flunking Cybersecurity 101, and American families are suffering as a result,” said Sen. Wyden. “The health care industry has some of the worst cybersecurity practices in the nation despite its critical importance to Americans’ well-being and privacy. These commonsense reforms, which include jail time for CEOs that lie to the government about their cybersecurity, will set a course to beef up cybersecurity among health care companies across the nation and stem the tide of cyberattacks that threaten to cripple the American health care system.”
Health Infrastructure Security and Accountability Act Requirements
The Health Infrastructure Security and Accountability Act introduces tough new cybersecurity standards for healthcare providers, health plans, healthcare clearinghouses, and business associates of those entities. Rather than encouraging healthcare organizations to improve cybersecurity, the Health Infrastructure Security and Accountability Act demands it and will create serious accountability for companies that fail to meet new minimum standards for cybersecurity.
The Health Infrastructure Security and Accountability Act will also ensure that the HHS has the appropriate financial support to effectively enforce compliance and demands annual audits of HIPAA-regulated entities to ensure that they comply with the new cybersecurity requirements. There will also be hefty financial penalties for non-compliance.
Some of the key requirements of the bill are:
- The creation of mandatory minimum cybersecurity standards for HIPAA-regulated entities and enhanced cybersecurity standards for systemically important entities and those important to national security
- HIPAA-regulated entities must submit to annual, independent cybersecurity audits and conduct stress tests to ensure they can restore services promptly after a cybersecurity incident. The HHS will be permitted to waive certain requirements for small providers.
- The HHS must conduct annual audits of at least 20 regulated entities, focusing on those that have the highest strategic importance
- Top executives must annually certify compliance, as is the case under the Sarbanes-Oxley Act for financial statements
- Provide greater support to the HHS security oversight and enforcement work through a user fee on all regulated entities. The user fee will be equal to the entity’s pro rata share of national health expenditures
- Codify the Secretary’s authority to provide advanced and accelerated Medicare payments in the event of a cybersecurity disruption to the health system, as was necessary during the Change Healthcare attack
- Make $800 million available in up-front investment payments to rural and urban safety net hospitals
- Provide $500 million to all hospitals to adopt enhanced cybersecurity standards
- Remove the statutory penalty caps on HHS’ fining authority to ensure mega-corporations face fines that are large enough to deter lax cybersecurity
The HHS will be required to adopt the minimum and enhanced cybersecurity standards within 2 years and update those standards at least every 2 years. Within 6 months of enactment, all covered entities and business associates will be required to contract with an independent auditor to assess compliance with the security requirements, and before the security requirements are effective, covered entities and business associates will be required to assess compliance with the HHS cybersecurity performance goals.
Within 3 years of enactment, HIPAA-covered entities will be required to conduct and document a security risk analysis that includes information on the manner and extent to which the entity or associate is exposed to risk through its business associates. They must also document a plan for rapid and orderly resolution in the event of a natural disaster, disruptive cyberattack, or other technological failure of their own information or that of their business associates, conduct a stress test to ensure that the plan is effective, and a written statement must be signed by the CEO and CISO attesting the company is in compliance with all applicable security standards and requirements. The attestation must be provided to the Secretary of the HHS and be posted on the company’s public-facing website.
Proposed Penalties for Noncompliance
The proposed civil monetary penalties for the failure to comply with cybersecurity standards are:
- No knowledge – Minimum of $500
- Reasonable cause – Minimum of $5,000
- Willful neglect (Corrected) – Minimum of $50,000
- Willful neglect (Uncorrected) – Minimum of $250,000
