Nearly eight months after a hacker attack on UnitedHealth Group Inc.’s technology arm Change Healthcare disrupted the health care industry, Capitol Hill fired a salvo at companies operating across the industry.
A new bill introduced in the U.S. Senate by Democratic Sens. Ron Wyden (Oregon) and Mark Warner (Virginia) would, among other things, require requirements to improve “the availability and resiliency of health care information systems and health care payments.” The contents of this document are as follows.
The bill, entitled the Health Infrastructure Security and Accountability Act, would establish security and risk management requirements for healthcare institutions and their affiliated entities, and would impose penalties against companies that violate these obligations. While imposing severe penalties, the law also stipulates what is called a “usage fee.” It supports data monitoring and regulation.
As reported, Change Healthcare was breached earlier this year due in part to the server not having multi-factor authentication protocols enabled, and hackers used stolen credentials to gain entry into the system. .
Contents of the bill
The bill would authorize the Department of Health and Human Services to conduct annual audits of at least 20 regulated health care providers, impose civil penalties for violations, and eliminate statutory caps. .
The audit includes stress testing and security risk analysis and “includes information regarding the manner and extent to which the entity or affiliate is exposed to risk through its business associates.”
In connection with the modernization and digitization of health care organizations’ operations, the HHS Secretary will, starting in fiscal year 2028, “identify enhanced cybersecurity practices that address the secure use of digital data and identify high-risk cybersecurity vulnerabilities.” will be tasked with dealing with the issue. ” specifically mentions ensuring that medical transactions proceed without interruption.
Standards and who pays
The bill aims to introduce mandatory cybersecurity standards for an industry that senators say is lacking, but HHS has not conducted a cybersecurity audit since 2017. Part of the problem is funding, with an additional $800 million needed, lawmakers said. $500 million in upfront capital payments to rural and urban safety-net hospitals and to all hospitals to implement enhanced cybersecurity standards,” as well as a “proportionate” share of revenue to national health. There is also a usage fee. Expenses.
Businesses that violate documentation and auditing requirements or minimum security standards can be subject to civil penalties of up to $5,000 per day. Criminal penalties for individuals who knowingly submit false documents can include fines of up to $1 million and up to 10 years in prison.
In an interview with PYMNTS, Bryan Lewis, CEO of Intellicheck, said that account takeovers are gaining momentum, especially in the face of data theft such as: A step in the fight against credential leaks could lead to verification of the authenticity of government-issued IDs, he said. The United Healthcare breach exposed the personal details of millions of people.
“The level of data compromised so far this year has nearly quadrupled compared to last year,” Lewis told PYMNTS CEO Karen Webster. “So that’s definitely an issue.”
More information: Change Healthcare, cyber attacks, cybersecurity, cybersecurity audits, data breaches, Department of Health and Human Services, Health Infrastructure Security and Accountability Act, Mark Warner, News, PYMNTS News, Ron Wyden, United Healthcare
Source link
