The Department of Health and Human Services (HHS) would be required to develop and implement “stringent” minimum cybersecurity standards for the healthcare sector under a bill introduced in the Senate Thursday.
The Health Infrastructure Security and Accountability Act, introduced by Sen. Ron Wyden, D-Ore. Mark Warner, Democrat of Virginia, focused on stronger standards for “systemically important entities and entities important to national security” for health care providers, health plans, clearinghouses and business relationships. The plan is to create standards for people with disabilities. The bill’s language also includes significant financial penalties for noncompliance.
The bill would also amend the Health Insurance Portability and Accountability Act to eliminate caps on fines for large companies and allow them to impose “sufficient fines” to “deter lax cybersecurity.” We plan to make it possible. It will also provide $1.3 billion in funding to improve hospital cybersecurity. Funding will be focused on “under-resourced hospitals in rural and urban areas.”
“Giant companies like UnitedHealth are breaching Cybersecurity 101, and American families are suffering as a result,” Wyden said in a statement. “The healthcare industry has some of the worst cybersecurity practices in the country, even though it is critically important to the well-being and privacy of Americans.”
“These common-sense reforms, including prison sentences for CEOs who lie to the government about cybersecurity, will strengthen the cybersecurity of healthcare companies across the country and prevent a wave of cyberattacks that threaten to cripple the U.S. healthcare system. “It will set a course to stop this,” he continued.
The bill would subject companies to fines of up to $5,000 per day if they fail to meet documentation, reporting and auditing requirements.
The bill would also require healthcare providers to submit annual cybersecurity reports and stress tests. HHS will be directed to audit major entities annually, and smaller entities will receive exemptions. Acceleration of Medicare payments by the Secretary of Health during cyber disruptions would also be codified under this legislation.
“Cybersecurity remains an evolving challenge in our healthcare ecosystem, and more efforts are needed to prevent cyberattacks and ensure patient safety,” said HHS Deputy Secretary Andrea Palm, who introduced the bill. said in a statement of support. “Clear accountability measures and mandatory cybersecurity requirements for all organizations holding sensitive data are essential.”
The bill follows the industry’s call for Congress to establish minimum cybersecurity standards following a ransomware attack on UnitedHealth’s Change Healthcare division in February. A cyberattack carried out by a Russian ransomware group using stolen credentials affected an estimated one-third of all Americans and disrupted billing services for providers across the country.
