Two prominent U.S. senators have introduced legislation that would require hospitals and healthcare organizations to adopt minimum cybersecurity standards and undergo annual audits, in response to ongoing cyber threats and the recent high-profile Change Healthcare ransomware attack. The Health Infrastructure Security and Accountability Act, proposed by Sens. Ron Wyden (D-OR) and Mark Warner (D-VA), aims to address the critical vulnerabilities in the healthcare sector’s cybersecurity practices.
The bill proposes a $1.3 billion allocation to the Department of Health and Human Services (HHS) to assist hospitals and create stronger accountability for companies that fail to meet the cybersecurity requirements. Wyden noted that large corporations like UnitedHealth are “flunking Cybersecurity 101,” referencing the February ransomware attack on UnitedHealth’s subsidiary, Change Healthcare, which disrupted the healthcare industry nationwide. The attack exposed sensitive data affecting more than one-third of Americans.
The legislation targets a wide range of healthcare-related entities, including providers, health plans, clearinghouses, and business associates. It mandates stress tests to ensure organizations can restore services after a cyber incident, with exemptions for smaller providers. Larger entities of systemic importance, such as Change Healthcare, would be subject to annual audits overseen by HHS to evaluate their data security practices.
Key elements of the bill include severe penalties for non-compliance, such as jail time for CEOs who lie about their cybersecurity measures. Additionally, the legislation removes caps on fines that HHS can impose, enabling the government to levy heavier penalties against large corporations that fail to meet the required cybersecurity standards.
In response to the ransomware attack that paralyzed Change Healthcare, the bill also empowers the HHS secretary to provide advanced and accelerated Medicare payments to healthcare providers in the event of a cyber disruption.
Sen. Warner emphasized that ransomware attacks have exposed vast amounts of healthcare data, delayed medical care, and directly endangered the lives and health of Americans. He argued that voluntary cybersecurity standards are no longer sufficient and that healthcare providers must be held accountable for protecting patient data and safety.
The American Hospital Association has expressed opposition to mandatory cybersecurity standards in the past but has not yet commented on the newly proposed bill. Meanwhile, cybersecurity experts like Josh Corman, who led CISA’s COVID Task Force, praised the bill for broadening HHS’s focus on cybersecurity, moving beyond data protection to securing the entire healthcare system.
While the bill was introduced just before Congress adjourns for the election, making it unlikely to pass in the current session, it is expected to serve as a starting point for future discussions on strengthening cybersecurity in the healthcare sector. As Corman put it, “If you want to see something fixed, make it a C-suite problem.”
Sponsored • TRJ Ads
Inquiries: contact@therealistjuggernaut.com
