The Department of Health and Human Services (HHS) would be required to develop and implement “tough” minimum cybersecurity standards for the healthcare sector under legislation introduced to the Senate on Thursday.
The Health Infrastructure Security and Accountability Act, introduced by Sens. Ron Wyden, D-Ore. and Mark Warner, D-Va., would create standards for healthcare providers, health plans, clearinghouses, and business associates, with a focus on stronger standards for “systemically important entities and entities important for national security.” Serious financial penalties for compliance failures are also included in the bill language.
The legislation would also amend the Health Insurance Portability and Accountability Act by removing fine caps for large corporations so that “large enough fines” can be levied to “deter lax cybersecurity.” It would also provide $1.3 billion in funding for cybersecurity improvements in hospitals. The funding would focus on “low-resource hospitals in rural and urban areas.”
“Megacorporations like UnitedHealth are flunking Cybersecurity 101, and American families are suffering as a result,” Wyden said in a statement. “The health care industry has some of the worst cybersecurity practices in the nation despite its critical importance to Americans’ well-being and privacy.”
“These commonsense reforms, which include jail time for CEOs that lie to the government about their cybersecurity, will set a course to beef up cybersecurity among health care companies across the nation and stem the tide of cyberattacks that threaten to cripple the American health care system,” he continued.
Under the bill, entities’ failure to provide documentation, reporting, and audit requirements would result in up to a $5,000 fine per day.
The bill would also require healthcare entities to file annual cybersecurity reports and stress tests. HHS would be directed to audit key entities yearly and smaller entities would receive waivers. The acceleration of Medicare payments by the HHS secretary during cyber disruptions would also be codified under the legislation.
“Cybersecurity remains an ever-evolving challenge in our health care ecosystem and more must be done to prevent cyberattacks and ensure patient safety,” Andrea Palm, deputy secretary of HHS, said in a statement supporting the legislation. “Clear accountability measures and mandatory cybersecurity requirements for all organizations that hold sensitive data are essential.”
The legislation follows industry’s calls on Congress to develop minimum cybersecurity standards after a ransomware attack on UnitedHealth’s Change Healthcare unit in February. The cyberattack conducted by a Russian ransomware group using stolen credentials affected an estimated third of all Americans and halted billing services for providers across the nation.