Health Infrastructure Security and Accountability Act Introduced

A bill introduced in Congress aims to strengthen cybersecurity standards in healthcare. Senators Ron Wyden, (D-Ore.) and Mark Warner (D-Va.) introduced the Health Infrastructure Security and Accountability Act, which would require the US Department of Health and Human Services (HHS) to set minimum security standards for providers, health plans, clearinghouses, and business associates.

Minimum standards set by HHS would apply to covered entities and business associates and would consider the potential harm to national security from the theft of patient health data, harm to patients, and access to care. Enhanced security requirements would apply to covered entities of systemic importance or those considered important to national security. If a disruption or failure at a covered entity or business associate would have a debilitating impact on access to healthcare or the stability of the healthcare system, it would be considered of systemic importance. The HHS Secretary would be required to update the standards at least every 2 years.

The bill’s authors believe this legislation is necessary since the HIPAA Security Rule has not been updated since 2013.

“Megacorporations like UnitedHealth are flunking Cybersecurity 101, and American families are suffering as a result,” Sen. Wyden said. “The health care industry has some of the worst cybersecurity practices in the nation despite its critical importance to Americans’ well-being and privacy. These commonsense reforms, which include jail time for CEOs that lie to the government about their cybersecurity, will set a course to beef up cybersecurity among healthcare companies across the nation and stem the tide of cyberattacks that threaten to cripple the American healthcare system.”

Key Elements of the Health Infrastructure Security and Accountability Act

• Increases fines for failing to meet security standards, including a minimum $250,000 penalty for willful neglect.
• Requires covered entities and business associates to conduct annual independent cybersecurity audits and stress tests to determine if they can restore service(s) promptly after a natural disaster, disruptive cyber incident, or other technological failure. Entities and associates subject to the enhanced security requirements are required to submit documentation from the audit to HHS on an annual basis. All other entities are required to provide the documentation upon request. HHS can waive this requirement for small providers.
• Requires HHS to proactively audit the data security practices of at least 20 regulated entities each year, focusing on providers of systemic importance. Reports summarizing the results of the audits must be submitted to Congress every other year for 10 years.
• Increases corporate accountability by requiring top executives to certify compliance with the requirements annually (congress already requires execs to sign off on financial statements as part of Sarbanes-Oxley).
• Supports the HHS’s security oversight and enforcement work through a user fee on all regulated entities.

Support for Hospitals

The bill would provide $800 million over two years for 2,000 rural and urban safety net hospitals to adopt essential cybersecurity standards that address high-risk cybersecurity vulnerabilities to data infrastructure and patient health information. The bill would also provide $500 million to incentivize hospitals to adopt enhanced cybersecurity practices. This funding would become available after two years when rural and urban safety net hospitals would have first received up-front payments. Hospitals would be then subject to a payment penalty if they do not adopt these enhanced practices after two years.

The Potential Impact on Healthcare Organizations

This bill has a long way to go before it becomes law, if it ever does. It doesn’t have a Republican co-sponsor, thus might lack the bipartisan support needed to get through both the Senate and House.

The enactment of the Health Infrastructure Security and Accountability Act’s larger financial penalties would place organizations at high risk if they do not comply with security regulations and those specified by the Act. The annual cybersecurity audit and stress test are labor-intensive requirements. Many organizations are likely doing something similar if they use a framework like HITRUST or SOC 2, but for some businesses, this will be a new project requiring time, expense, and additional support staff

Regardless of whether this bill passes, legislative focus has shifted to improving cybersecurity in healthcare; this is especially true after the Change Healthcare ransomware attack. Other potential changes to the regulatory landscape may include the possibility of HHS restarting random HIPAA audits.

CompliancePoint has a team of healthcare and cybersecurity professionals committed to helping organizations comply with HIPAA, HITRUST, and any other security and privacy regulations. Contact us at connect@compliancepoint.com to learn more about our services.