(Credit: Yuichiro Chino/Getty Images)
A new law aimed at improving cybersecurity in the healthcare sector could put leaders of skilled nursing facilities, home health agencies and hospices in jail if they lie about cybersecurity precautions. said one of the bill’s sponsors.
Senate Finance Committee Chairman Ron Wyden (D-Ore.) and Sen. Mark Warner (D-Va.) announced the Health Infrastructure Security and Accountability Act on Thursday. The bill also targets other types of health care operations.
“Despite its critical importance to the well-being and privacy of Americans, the health care industry has some of the worst cybersecurity practices in the country,” Wyden said. “These common-sense reforms, including prison terms for CEOs who lie to the government about cybersecurity, will strengthen the cybersecurity of healthcare companies across the country and help stem the wave of cyberattacks that threaten to cripple the U.S. healthcare system. It will determine your gender.”
This bill would require the U.S. Department of Health and Human Services to develop and enforce a set of minimum cybersecurity standards for health care providers, health plans, clearinghouses, and their business partners. are. It would also eliminate existing penalty caps under the Health Insurance Portability and Accountability Act.
Additionally, the bill would authorize HHS to conduct annual compliance audits and impose “significant accountability” on companies that fail to meet certain cybersecurity requirements. HHS would be required to proactively audit the data security practices of at least 20 regulated entities each year, “with a focus on systemically important providers.”
The proposal comes in the wake of a major cyberattack on Change Healthcare, the nation’s largest medical claims clearinghouse, earlier this year. Users include 67,000 pharmacies, and when the attack was confirmed on February 21st, much of the attention of the initial outage focused on prescriptions and pharmacy billing. Change reports that the outage has forced approximately 90% of U.S. pharmacies to use “modified” electronic billing processes or switch to manual submission.
The bill would codify the HHS secretary’s authority to provide advanced and expedited Medicare payments in the event of a cybersecurity disruption to the health care system “as was necessary during the Change Healthcare attack.”
