Senators Introduce Bill To Set Healthcare Cybersecurity Standards

Dive Brief:

• Lawmakers introduced a bill Thursday that would set cybersecurity standards for healthcare organizations as the industry faces a wave of cyberattacks and data breaches. 
• The legislation, sponsored by Sens. Ron Wyden, D-Ore., and Mark Warner, D-Va., would direct the HHS to develop minimum cybersecurity standards for providers, health plans, claims clearinghouses and business associates. Enhanced cyber standards would apply to organizations that are deemed important to national security.
• The bill would also provide millions to hospitals to help them adopt the requirements — a major concern for providers who say limited resources and funds worsens cyber preparedness, especially at rural and safety-net facilities. 

Dive Insight: 

The Health Infrastructure Security and Accountability Act includes a range of reforms aimed at bringing healthcare cybersecurity up to snuff — a problem that’s grown in significance as the sector experiences an increasing number of cyberattacks that can disrupt patient care. 

The bill requires the HHS to adopt minimum and enhanced cybersecurity measures that would apply to HIPAA-covered entities and their business associates.

Healthcare organizations would be required to conduct cybersecurity assessments and stress tests. The HHS would audit the data security of at least 20 companies per year to ensure compliance. 

The legislation also seeks to increase civil penalties for organizations that fail to comply with security standards — including a proposed minimum fine of $250,000 for violations in willful neglect that go uncorrected. 

The HHS would also be authorized to charge user fees to covered entities and business associates. Those fees would allow the agency to take on the increased oversight work, a challenge the HHS hasn’t been appropriately funded to manage, the senators wrote in a summary of the legislation.

“The health care industry has some of the worst cybersecurity practices in the nation despite its critical importance to Americans’ well-being and privacy,” Wyden said in a statement. “These commonsense reforms, which include jail time for CEOs that lie to the government about their cybersecurity, will set a course to beef up cybersecurity among health care companies across the nation and stem the tide of cyberattacks that threaten to cripple the American health care system.” 

The legislation also includes money to help hospitals adopt the cyber standards, including $800 million to 2,000 safety-net hospitals to use essential practices and $500 million to incentivize all hospitals to take up enhanced cyber standards. And if providers face cash flow challenges amid a cyberattack, the bill would allow the HHS to provide accelerated and advanced Medicare payments.

Robust cybersecurity is key, but the Healthcare Leadership Council, a group of CEOs and C-suite executives from health systems, insurers, technology firms and pharmaceutical companies, argues the bill is misguided.

“The healthcare industry faces increasing, aggressive cyberattacks. Instead of offering support and partnership to defend against relentless cybercriminal enterprises, this bill singles out our industry’s members for punishment,” President and CEO Maria Ghazal said in a statement.

Hospital groups have previously raised concerns that financial penalties for failing to meet standards would hurt small, rural and under-resourced facilities, who already struggle to dedicate funds to cybersecurity.

Still, federal regulators have hinted for months that healthcare cyber requirements could be coming down the pike. 

Early this year, the HHS released voluntary cybersecurity goals divided into essential safeguards — like email security, multifactor authentication and basic cybersecurity training for employees — and enhanced protections, including cybersecurity testing and vendor threat assessment. 

The Biden administration’s proposed budget for 2025 included financial incentives and penalties for hospitals to adopt cybersecurity standards. 

But the high-profile cyberattack on technology firm and claims processor Change Healthcare earlier this year put the sector’s vulnerabilities in the spotlight. The attack slowed payments to providers for weeks, and millions of Americans’ data could be compromised. 

Citing the impact of the Change cyberattack, Wyden urged the HHS earlier this summer to require large healthcare organizations to improve their cybersecurity.