New Cybersecurity Standards Proposed for Healthcare with Stricter Enforcement
Two Democratic Senators have proposed legislation to strengthen cybersecurity in the healthcare sector by amending sections XI and XVIII of the Social Security Act. Senate Finance Committee Chair Ron Wyden (D-OR) and Senator Mark Warner (D-VA) presented the bill, called the Health Infrastructure Security and Accountability Act. Their goal is to establish mandatory cybersecurity standards for healthcare organizations and enforce compliance through severe penalties for those failing to meet the new requirements.
Healthcare data breaches have become a growing concern. In 2024 alone, the Office for Civil Rights Breach Portal reported 394 big breaches affecting more than 43 million individuals due to hacking or IT incidents. In comparison, 2023 saw 602 breaches, compromising the data of over 151 million people. These incidents have slowed patient care, exposed sensitive data, and posed risks to national security. The Senators emphasized that these attacks are preventable, blaming weak cybersecurity practices within healthcare organizations and their business associates.
Currently, the enforcement of cybersecurity regulations within healthcare remains insufficient, and there has been little to no update to the Health Insurance Portability and Accountability Act (HIPAA) since 2013. According to the Senators, the Department of Health and Human Services (HHS) has not conducted a cybersecurity audit since 2017, which leaves healthcare systems vulnerable to attacks. Earlier this year, the HHS introduced cybersecurity performance goals, including basic measures such as basic cybersecurity training, multifactor authentication, and vulnerability mitigation. However, voluntary measures alone have not proven effective.
The Health Infrastructure Security and Accountability Act seeks to move beyond voluntary standards. It proposes implementing mandatory protocols to safeguard patient information and healthcare infrastructure. Senator Warner explained that cybersecurity breaches have impacted healthcare institutions nationwide, highlighting the need for stronger, enforceable security measures. The bill also addresses funding for rural and underserved hospitals, ensuring they can satisfy these new standards.
A good example of the catastrophic consequences of a cyberattack is the February ransomware attack on Change Healthcare. The attack demonstrated how overlooking fundamental cybersecurity practices, such as multifactor authentication, can have disastrous consequences on healthcare services and patient care across the nation. Wyden criticized big healthcare corporations for their lax cybersecurity practices, and said that reforms are necessary to prevent future breaches and protect American families.
Requirements of the Health Infrastructure Security and Accountability Act
The Act features strict cybersecurity standards for all entities regulated under HIPAA, including healthcare providers, health plans, healthcare clearinghouses, and their business associates. Instead of encouraging voluntary improvements in cybersecurity, the Act mandates that organizations meet certain baseline requirements or face penalties.
The legislation would make sure that the HHS has adequate financial resources to enforce compliance and would require yearly audits to ensure HIPAA-covered entities are adhering to cybersecurity standards. Non-compliance would result in severe financial penalties for the organizations.
The Act includes the following requirements:
- Minimum Cybersecurity Standards: All HIPAA-regulated entities must meet mandatory minimum cybersecurity standards. Enhanced cybersecurity requirements would apply to entities deemed systemically critical to national security.
- Annual Cybersecurity Audits: HIPAA-covered entities must undergo yearly, third-party cybersecurity audits. They must also conduct stress tests to enable quick recovery from a cybersecurity incident. The HHS has the authority to waive some requirements for small healthcare providers.
- Strategic Focus Audits: The HHS must conduct yearly audits on 20 entities, particulary those that hold the highest strategic importance.
- Executive Accountability: Senior executives of healthcare organizations must certify that their companies comply with cybersecurity requirements. This requirement is modeled after the Sarbanes-Oxley Act, which holds executives accountable for the accuracy of financial statements.
- Support for HHS Enforcement: A user fee on all regulated entities would provide additional resources for the HHS to enforce security measures. This fee would be proportional to each entity’s share of national health expenditures.
- Medicare Payment Protections: In case of a cyberattack, the HHS Secretary would have the authority to offer advanced or accelerated Medicare payments to healthcare organizations to help them recover from disruptions.
- Financial Support for Hospitals: The bill includes $800 million in upfront investment payments to assist rural and urban safety net hospitals meet enhanced cybersecurity standards. Another $500 million would be allocated to support all hospitals in upgrading their cybersecurity practices.
- Removal of Penalty Caps: The bill removes statutory caps on penalties, allowing the issuance of fines for big corporations that do not meet cybersecurity standards.
Implementation Timeline and Requirements
The HHS would be tasked with implementing the minimum and enhanced cybersecurity standards in two years, with updates required at least every two years. Within six months of the enactment, all HIPAA-covered entities and business associates must deal with third-party auditors to evaluate their conformity with the security requirements. Before the security requirements take effect, entities must also review their compliance with the HHS cybersecurity performance goals.
In three years of enactment, organizations should perform a security risk analysis. This analysis must include an evaluation of how they are exposed to cybersecurity risks through their business associates. They must also develop and record a response plan for handling natural disasters or cyberattacks and conduct stress tests to ensure the plan will work. Senior executives, including the CEO and Chief Information Security Officer, must certify that their organizations comply with all security standards, with the attestation posted publicly and submitted to the HHS.
The proposed civil monetary penalties for non-compliance with cybersecurity standards have four tiers:
- Tier 1: Without knowledge – a minimum penalty of $500
- Tier 2: Reasonable cause – a minimum penalty of $5,000
- Tier 3: Willful neglect (corrected) – a minimum penalty of $50,000
- Tier 4: Willful neglect (uncorrected) – a minimum penalty of $250,000
These penalties are intended to hold healthcare organizations accountable and ensure they take necessary steps to protect sensitive patient information from cyberattacks.