The measure introduced Thursday directs the Department of Health and Human Services to create new minimum cybersecurity standards for the healthcare sector and requires the department to ensure that healthcare institutions under the new rules It requires an annual audit.
Health Infrastructure Security and Accountability Act — led by Sen. Ron Wyden, D-Ore. and Mark Warner, Democrat of Virginia. — Amends the requirements of the Health Insurance Portability and Accountability Act to create a new “Healthcare Providers, Health Plans, Clearinghouses, and Trading Parties” Act that specifically focuses on health care operations critical to national security. Directs HHS to establish “mandatory minimum cybersecurity standards for
The bill was introduced in the wake of a devastating ransomware attack on UnitedHealth's Change Healthcare division in February, which affected perhaps one-third of all Americans and prevented them from filling their prescriptions. It caused several medical processing challenges that lasted into early summer, including delays and funding problems for rural clinics. And the hospital.
Hackers used stolen credentials to break into Change Healthcare servers that were not protected by multi-factor authentication. Multi-factor authentication is a method of double-checking that users are not fraudulently impersonating someone else when logging into a platform.
The measure requires annual cybersecurity audits and stress tests for health care organizations, exempts small health care providers, and requires HHS to audit major institutions annually. It would also eliminate caps on fines for large companies, fund HHS oversight through user fees, and allocate $1.3 billion to hospitals for cybersecurity improvements.
The Secretary of Health's ability to accelerate Medicare payments during cyber disruptions would also be codified. The Change hack was perhaps the largest cyber attack on the U.S. healthcare industry to date, with significant cascading effects. According to a survey by the American Medical Association, between March 26 and April 3, 80% of physician practices lost income due to unpaid insurance claims, and 55% of respondents said they needed help to cover expenses. They answered that they would need to use personal funds.
In extreme cases, medical executives who willingly submit false information on security documents can face prison time.
“With hacks already targeting institutions across the country, it's time for healthcare providers and vendors to go beyond voluntary standards and get serious about cybersecurity and patient safety,” Warner said. said.
“Giant companies like UnitedHealth are breaking Cybersecurity 101, and American families are suffering as a result,” Wyden said.
The agency already has some existing cyber authorities under HIPAA, but the proposed legislation would help give the agency more authority to manage critical health care organizations' inventories. According to the bill's language, the Cybersecurity and Infrastructure Security Agency and the Director of National Intelligence would also help develop standards.
CISA specifically targets unique systemically critical organizations (organizations whose infrastructure is so critical that disruption to it could impact national security, economic security, or public health and safety). ), but the list is not made public for security reasons.
HHS supports the new law. “Clear accountability measures and mandatory cybersecurity requirements for all organizations holding sensitive data are essential,” Deputy Commissioner Andrea Palm said in a statement.
HHS previously announced measures to strengthen cybersecurity standards in existing programs. This includes the possibility of leveraging authorities under HHS' major payer programs and HIPAA to enforce compliance.
Because healthcare infrastructure often contains digital repositories of sensitive patient information, which, if stolen, can be sold to other criminal cyber operatives for use in extortion or fraud schemes. , medical infrastructure is a treasure trove for hackers. Cyberattacks against the healthcare sector will jump 128% in 2023, with 113 known victims in 2022, compared to 258 in the same year, according to an Intelligence Community analysis in February.