Hospitals and other health care businesses would be required to adopt minimum cybersecurity standards and undergo annual audits under a new bill introduced Thursday by two prominent senators.
The Health Infrastructure Security and Accountability Act, introduced by Sen. Ron Wyden (D-Ore.) and Sen. Mark Warner (D-Va.), would allow the Department of Health and Human Services (HHS) to support hospitals. , which would provide $1.3 billion to “solve serious problems.” Liability for companies that fail to meet cybersecurity standards.”
Wyden said the bill was needed because “giant companies like UnitedHealth are ignoring Cybersecurity 101, and American families are suffering as a result.”
In February, Change Healthcare, a subsidiary of UnitedHealth, suffered a ransomware attack that severely disrupted the industry across the United States.
“Despite its critical importance to the well-being and privacy of Americans, the healthcare industry has some of the worst cybersecurity practices in the country,” he said.
“These common-sense reforms, including prison terms for CEOs who lie to the government about cybersecurity, will strengthen the cybersecurity of healthcare companies across the country and help stem the wave of cyberattacks that threaten to cripple the U.S. healthcare system. It will determine your gender.”
Change Healthcare and 19 other companies
The 49-page bill takes a comprehensive approach to addressing cybersecurity protections in the healthcare industry. The minimum standards apply to health care providers, health plans, clearinghouses, and business associates.
Organizations covered by the bill would be required to undergo stress tests to determine whether they can restore service after a cyber incident. For small providers, this may be waived by HHS.
Particularly systemically important organizations, such as Change Healthcare and 19 other organizations, will undergo HHS audits to test their data security practices.
The senators noted that lying to the government is a serious crime, and annual audits that are certified by top management strengthen corporate accountability.
The bill would also eliminate the cap on fines that HHS can issue to impose harsher penalties on large corporations.
In fiscal years 2027 and 2028, the bill would allow “critical access hospitals or eligible high-needs hospitals” to request funding from the Federal Hospital Insurance Trust Fund to implement mandatory cybersecurity practices. A total of $800 million will be available.
The endowment for fiscal years 2029 and 2030 will be $500 million.
The bill also directly addresses one of the biggest issues seen during the Change Healthcare ransomware attack, requiring the HHS Secretary to “enable advanced and rapid security measures in the event of a cybersecurity disruption to the health care system.” Authorizes the government to provide Medicare payments.
“Management issues”
Warner warned that continued exposure of medical data and health care delays due to ransomware attacks are “directly endangering the lives and long-term health of Americans.”
He criticized the industry’s continued push for voluntary cybersecurity standards, saying it is now “going beyond” the practice and encouraging healthcare providers, vendors and others to “get serious about cybersecurity and patient safety.” He argued that the time had come to force the government to do so.
The bill has the support of HHS, which said in a statement that accountability measures and mandatory cybersecurity requirements for all organizations holding sensitive data are essential.
The American Hospital Association, which has previously criticized attempts to mandate minimum cybersecurity standards, declined to comment on the bill.
The bill comes as hospitals across the country continue to face ransomware attacks, forcing nurses to return to pen and paper and stranding ambulances.
The Change Healthcare hack, which exposed the information of more than a third of all Americans, led to the UnitedHealth Group’s CEO admitting that the entire attack was traced to a remote access server that was not protected by multi-factor authentication. There have been growing calls for stronger regulation of the care industry (MFA).
The attack on Change Healthcare is considered by many to be the largest ransomware event ever to hit the healthcare industry, as millions of US residents struggle to obtain their medications. , sparked outrage.
Wyden said last month that UnitedHealth’s senior leadership and board had made a series of reckless decisions, most notably that the chief information security officer did not have a full-time cybersecurity role before being promoted to chief information security officer. “I have to take responsibility,” he said. Scheduled to start work in June 2023.
Medical cybersecurity expert Josh Corman led CISA’s coronavirus task force for two years and is a passionate advocate for stricter cyber protections through his organization, I Am the Cavalry. The bill praised HHS’ efforts to expand its focus on cyber.
The department has focused solely on data security related to the Health Insurance Portability and Accountability Act (HIPAA), but this bill would give the federal government an expanded role in protecting the U.S. health care system. He said that.
He noted that the bill was introduced on the last day before parliament was dissolved for elections, so it was unlikely to gain support in this parliament.
“I think this is a starting point for discussion and debate, but what I hope no one can disagree with is that there needs to be accountability and incentives at the executive level, and 20% of regulators can certainly achieve that. “We need a sense of urgency to ensure that those responsible for the economy, public safety, and human life have the ability to do their jobs and maintain this trust,” he said.
“If you want to solve something, make it an executive issue.”
