Senate Finance Committee Chairman Ron Wyden (D-Ore.) and Sen. Mark Warner (D-Va.) are working together to stop the rise in cyberattacks that violate Americans’ privacy and cause major disruption. announced a “common sense reform” bill aimed at Please be careful nationwide.
Warner said in a statement Thursday that the Health Infrastructure Security and Accountability Act not only mandates cybersecurity protocols, but also requires rural and underserved hospitals to meet new cybersecurity standards. He said he would increase funding.
Why is it important?
If the reforms proposed in this bill are enacted into law, audits of medical institutions will be strengthened. You will also pay higher user fees for new regulated services.
Warner is focused on improving the sector’s cybersecurity posture, announcing a 2022 policy paper urging the U.S. Department of Health and Human Services to eliminate voluntary cybersecurity requirements and calling for the creation of a healthcare cybersecurity czar. In a statement, he said he believed the voluntary standards lacked safety. Teeth necessary to protect a patient’s most personal data and continuity of care.
Lawmakers have made it clear that they believe some major medical institutions are “ignoring cybersecurity standards.”
“Giant companies like UnitedHealth are ignoring cybersecurity 101, and American families are suffering as a result,” Wyden said in a statement.
“The health care industry has some of the worst cybersecurity practices in the country, despite its critical importance to the well-being and privacy of Americans.”
The Health Infrastructure Security and Accountability Act would create “enhanced standards” for “systemically important” entities, health care providers, and health insurance clearinghouses, according to a fact sheet for the proposed bill. , calls for modernizing HIPAA’s mandatory minimum cybersecurity standards for business associates.
The bill also requires covered entities and business associates to submit annual independent cybersecurity audits and follow other measures to ensure that services can be quickly restored after an incident, and “ HHS may provide exemptions for small providers.”
Top executives will be required to certify compliance with the requirements annually, and HHS will be required to “actively audit the data security practices of at least 20 regulated entities annually.”
The bill would also remove statutory caps on HHS’ fine authority so that giant companies like United Health Group “face fines large enough to deter them from lax cybersecurity.” I am proposing it.
Additional security oversight and enforcement would be paid for through user fees for all regulated entities, but the bill also includes $800 million to pay for enhanced cybersecurity standards at rural and urban safety-net hospitals; It also provides $500 million for all hospitals.
“With hacks already targeting institutions across the country, it’s time for healthcare providers and vendors to go beyond voluntary standards and get serious about cybersecurity and patient safety,” Warner said. said.
bigger trends
Warner and Wyden announced that after the Senate Finance Committee held a hearing in May with UnitedHealth Group CEO Andrew Whitty regarding the February cyberattack on UHG subsidiary Change Healthcare, Wyden said the Biden administration He pointed out that he called for the giant corporation to be investigated and detained. It is responsible for its “lax cybersecurity.”
Witty pledged to rebuild the affected healthcare clearinghouses using cloud-based security. Additionally, Change did not implement multi-factor authentication, leaving the organization vulnerable to cyberattacks.
In a strategy document released in December, HHS also called for new cybersecurity requirements for hospitals. We also outlined voluntary healthcare-specific cybersecurity performance goals.
“Funding and voluntary targets alone will not foster the cyber-related behavioral changes needed across the health care sector,” the agency said in a statement at the time.
Meanwhile, the American Hospital Association rejected the proposed strategy, saying it would penalize hospitals for cyberattacks.
AHA President and CEO Rick Pollack told Healthcare IT News that “no organization, including federal agencies, is immune and cannot be immune from cyberattacks.” .
“Issuing fines or reducing Medicare payments would reduce hospital resources needed to fight cybercrime and be counterproductive to our common goal of preventing cyberattacks.”
Case in point: The Centers for Medicare and Medicaid Services recently mailed written data breach notifications to 946,801 people around the world who were trapped in a data breach when a vulnerability was discovered in a third-party application used for file transfer. notified a large number of companies in various sectors. earlier this year.
CMS said in the letter that a cyber breach related to the MOVEit software may have compromised protected health information and other personally identifiable information.
On record
“Cybersecurity remains an evolving challenge in the healthcare ecosystem, and more needs to be done to prevent cyber-attacks and ensure patient safety,” Department of Health Deputy Secretary Andrea Palm said in a statement. said. “Clear accountability measures and mandatory cybersecurity requirements for all organizations holding sensitive data are essential.”
Andrea Fox is a senior editor at Healthcare IT News.
Email: afox@himss.org
Healthcare IT News is a publication of HIMSS Media.
The HIMSS Healthcare Cybersecurity Forum is scheduled for October 31st to November 1st in Washington, DC. Check the details and register.
