Following a series of ransomware incidents and other attacks, U.S. lawmakers have introduced legislation that would set cybersecurity standards for healthcare organizations.
The Health Infrastructure Security and Accountability Act (PDF), proposed by Sen. Ron Wyden (D-Ore., pictured above) and Sen. Mark Warner (D-Va.), is a health and human security ( HHS) Directs the Department to develop minimum standards for health infrastructure. Health Care Providers, Health Plans, Claims Centers, and Business Partners.
Wyden said the action was taken because large companies like UnitedHealth are “ignoring cybersecurity 101,” leading to violations of Americans' data privacy and major disruptions to health care across the country. Ta. This standard would apply to organizations deemed critical to national security.
The senator argued that “the health care industry has some of the worst cybersecurity practices in the nation, despite its critical importance to the well-being and privacy of Americans.” “These common-sense reforms, including prison terms for CEOs who lie to the government about cybersecurity, will strengthen the cybersecurity of healthcare companies across the country and help stem the wave of cyberattacks that threaten to cripple the U.S. healthcare system. It will determine your gender.”
According to the FBI's Summary of Key Elements of the Bill (PDF), there will be 725 data breaches involving healthcare organizations in 2023, impacting more than 120 million Americans; The sector is currently the number one target for ransomware attacks. It claims these attacks are “completely preventable” and occur because the healthcare industry has “some of the weakest cybersecurity rules of any federally regulated industry.”
Other measures include requiring annual independent cybersecurity audits and defense stress tests (with possible exemptions for smaller providers) and requiring HHS to conduct at least 20 regulated entities each year. These include requirements to audit and confirm compliance with standards.
The HHS penalty cap should also be lifted so that “large companies face penalties large enough to deter them from lax cybersecurity,” the document says. At the same time, it will advance $800 million in federal funding to rural and urban hospitals and provide $500 million to all hospitals to adopt enhanced cybersecurity standards.
The move follows a notorious attack on UnitedHealth's Change Healthcare division by ransomware group BlackCat (also known as AlphV) earlier this year, which took down systems for more than a week and disrupted patient care. .
“Cyberattacks against healthcare providers threaten patients' most personal data, delay essential medical care, and directly endanger the lives and long-term health of Americans,” Warner said.
“With hacks already targeting institutions across the country, now is the time for healthcare providers and vendors to get serious about cybersecurity and patient safety, beyond voluntary standards.”